[转载]How Much Security Is Enough
信息来源:[url]www.cert.org[/url]CEOs, CSOs, and system administrators may dream about achieving a state of complete organizational security, but pragmatically they realize this is unrealistic. However it is feasible for an organization to define a state of adequate security. This article describes how an organization can address the question 'How much security is enough?'.
Creating adequate security from an operational standpoint means more than complying with regulations or implementing best practices. Formulating the concept of adequate security helps define the benefit and ideal outcome for security investment and must occur in the context of the security risks to an organization's mission and objectives.
One approach to defining an adequate or appropriate level of security is to compare and contrast it with a theoretical state of absolute security. We define this as an ideal condition where all security requirements1 for critical business processes and assets are satisfied (assuming an organization has identified these as a worthy investment).
So, in this context, how might one define and determine adequate security?
Adequate Security Defined, Part One: To a great extent, determining adequate security is about determining and managing risk2. Where possible, an organization satisfies the security requirements for its critical business processes and assets. Where this is not possible, security risks to such processes and assets are identified, mitigated, and managed at a level of residual risk that is acceptable to the organization. "Appropriate business security is that which protects the business from undue operational risks3 in a cost-effective manner." [Sherwood 03]
Questions to Ask: Determining adequate security depends on what an organization needs to protect and what it needs to prevent. What questions does an organization need to ask to define and scope adequate security? Consider the following questions from an enterprise perspective (not just an IT perspective):
What needs to be protected? Why does it need to be protected? What happens if it is not protected?
What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action?
How do we effectively manage the residual risk when protection and prevention actions are not taken?
The answers to these questions can help determine how much to invest and where to invest it. They serve as one means to begin to identify risks to the enterprise and the degree of risk exposure.
Enterprise Risk and Enterprise Security Risk: COSO4 defines risk as "the possibility that an event will occur and adversely affect the achievement of objectives." [COSO 04] Considering the magnitude and range of potential adverse effects helps to answer questions about prevention, degree of disruption, and degree of protection.
Enterprise risks worth considering can be categorized as financial (including credit), legal and compliance, operational, market, strategic, information, technology, personnel, and risk to reputation. Enterprise security risks that derive from these may include those that damage stakeholder trust and confidence, affect customer retention and growth, violate customer and partner identity and privacy, disrupt the ability to offer and fulfill business transactions, and in the case of medical records and patient information, adverse health effects and loss of life.
While this article focuses on the negative consequences resulting from realized security risks, organizations also need to consider how investment in security can enable an organization to act on new opportunities to better achieve business objectives. These may include
communicating with customers in a more cost-effective and timely manner
enabling transactions with greater integrity and privacy (thus increasing business throughput, customer satisfaction, and customer confidence, which can all help create customer loyalty)
providing more secure access by sales staff to enterprise applications
interacting in a more timely and reliable way with the organization's supply chain
For example, if an organization diligently protects a customer's personal information, privacy, and identity, and if the customer knows this through their experience doing business with the company, they are more likely to increase their internet-based interactions. Transactions may include purchasing products and services and using help and customer assistance online (assuming these are offered in an understandable and user friendly manner), instead of placing a phone call or visiting a physical location. In most cases, transactions can be accomplished quickly with little to no requirement for human interaction, resulting in cost and time savings for both parties.
Adequate Security Defined, Part 2; Enterprise Security State: We assert that defining a desired state of enterprise security defines a level of adequate security:
A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.
Protection strategies include principles, policies, procedures, processes, controls5, and performance indicators and measures.
An asset is anything of value to an organization. Assets include information such as enterprise strategies and plans, product information, and customer information; technology such as hardware, software, and IT-based services; and supporting assets such as facilities and utilities. Critical assets are those that directly affect the ability of the organization to meet its objectives and fulfill its critical success factors [Caralli 04a].
A process is a systematic series of progressive and interdependent actions or steps by which an end result is obtained. Business processes create the products and services that an organization offers and can include customer relationship management, financial management and reporting, and managing relationships and contractual agreements with partners, suppliers, and contractors.
Risk appetite is defined by COSO as ". . . the amount of risk, on a broad level, an entity is willing to accept in pursuit of value (and its mission)." Risk appetite influences the entity's culture, operating style, strategies, resource allocation, and infrastructure. [COSO 04] Defining the organization's risk appetite is an executive decision. It is undertaken in conjunction with evaluating alternative business models in pursuit of the organization's goals and objectives. Management assesses the alternatives, sets objectives aligned with strategy, develops business processes to accomplish the plan, and manages any inherent risks.
Risk tolerances are defined by COSO as ". . . the acceptable levels of variation relative to the achievement of objectives, and are often best measured in the same units as the related objectives." [COSO 04] In defining acceptable levels of variation, risk tolerance defines and delineates the range of impact and corresponding risk to the organization. This is embodied in defining and using impact and risk evaluation criteria - which can be expressed both qualitatively and quantitatively. Risk tolerance could be defined as the residual risk the organization is willing to accept after implementing risk mitigation and monitoring processes and controls. One way to express this is to define high, medium, and low levels of residual risk. An example is a policy to conduct prioritized mitigation for high and medium level risks and to accept (monitor) low level risks as the default condition.
With risk appetite and risk tolerances defined, how does the organization manage different levels of inherent and residual risk? How does an organization prioritize risks requiring mitigating actions? In quantitative terms, what 'value at risk' is acceptable?
Example of Risk Appetite and Risk Tolerance: A retailer decides to enter the e-commerce marketplace but has a low risk appetite relative to its relationship with existing customers, particularly with respect to fulfilling orders promptly and accurately. To protect these relationships, management allocates necessary resources (people, processes, technology) to ensure that (1) order-to-delivery response times meet or exceed defined targets and (2) order fulfillment accuracy meets or exceeds defined criteria. Management is now conducting business on-line and has installed the resources needed to protect its reputation for timely and accurate fulfillment of customer orders. It has set a target for delivery within seven days of accepting orders and has guaranteed delivery within two weeks by a statement on its web site. However, how much variation is management willing to tolerate with respect to delivery and order accuracy targets? Is a five-day average variance around the delivery target too much? The level of variation relative to achievement of objectives is known as the risk tolerance.
A security state as defined above is constantly changing due to business and risk environments and the variation in risk tolerance that management is willing to accept; thus it is dynamic, not static. Effectively achieving and sustaining adequate security based on this definition is a continuous process, not a final outcome. Thus processes to plan for, monitor, review, report, and update an organization's security state must be part of normal day-to-day business conduct and risk management. This includes documenting this state as part of strategic and operational plans.
Relating Security State to Adequate Security: So with the benefit of this description, a useful way to address the question "How much security is enough?" is to first ask "What is the definition of the enterprise security state?"
What are our critical assets and business processes? What is the organization's risk tolerances and risk appetite with respect to these in general?
Under what conditions and with what likelihood are assets and processes at risk? What are the possible adverse consequences and impacts if a risk is realized? Do these risks fit within our risk appetite and risk tolerances?
In the cases where risks are beyond these thresholds, what actions do we need to take to mitigate and with what priority? Are we making conscious decisions to accept levels of risk exposure and then effectively managing residual risk? Have we considered mechanisms for sharing potential risk impact (for example, via insurance or with third parties)?
For those risks we are unwilling or unable to accept, what protection strategies do we need to put in place? What is the cost/benefit or return on investment of deploying these strategies?
How well are we managing our security state today? How well will we manage our security state 30 days, six months, and one year from now? Are we updating our understanding and definition of our security state as part of normal planning and review processes?
Example: One of ABC, Inc.'s critical assets is the customer contact database, which includes order history. This is used actively in targeted marketing and sales processes with exceptional results (repeat sales). It has taken three years of staff effort to build and populate this database at an estimated cost of US$1M. Ongoing operations and maintenance costs including the protection strategies described below are US$200,000.
There are specific events, impacts, and consequences that ABC needs to prevent. Competitors regularly attempt to obtain access to or a copy of this information [high risk]. Management is sensitive to the risk of disclosure by sales and marketing staff who are approached by competitors to share this information for personal financial gain [medium risk]. Third party intruders have threatened to obtain access to and disclose this information on the Internet [low risk]. While ABC believes they offer superior service thus engendering customer loyalty in the face of competitive pressure to switch, they place the value at risk at US$10M [risk appetite].
Security requirements for this asset include zero tolerance on unauthorized disclosure (violation of confidentiality), continuous validation of data integrity (by automated comparison with a trusted, securely stored version), and 99.999 per cent availability [risk tolerances].
Protection strategies include
principles and policies that state these requirements and risk tolerances for this asset
clear assignment of roles and responsibilities and periodic training for staff and managers involved in protecting this asset
an infrastructure architecture that fulfills these requirements, meets these risk tolerances, and implements effective controls (strong authentication, firewalls including ingress and egress filtering, enforcement of separation of duties, automated integrity checking, hot backups, etc.)
regular review and monitoring of relevant processes, and performance indicators and measures including financial performance and return on investment; regular review of new and emerging threats, and evaluation of levels of risk
regular audit of relevant controls and timely resolution of audit findings
Future articles in this series will build on the topics discussed here. We welcome your critique and feedback on this article and any others in the Governing for Enterprise Security series. Please send your remarks to Julia Allen at [email]jha@cert.org[/email].
Notes
1 Security requirements typically include preserving appropriate levels of confidentiality, availability, and integrity.
2 Adequacy and Risk Management as principles of governing for enterprise security were first introduced in Protect Stakeholder Interests.
3 According to Basel II, operational risks are risks of loss resulting from inadequate or failed internal processes, people, and systems or from external events. [[url]http://www.bis.org/publ/bcbs107.htm[/url]]
4 The Committee of Sponsoring Organizations of the Treadway Commission
5 Controls can be preventive, detective, and corrective.
References
[Alberts 02] Albert, Christopher; Dorofee, Audrey. Managing Information Security Risks: The OCTAVE Approach. Addison Wesley, July 2002. Supporting publications are available at [url]http://www.cert.org/octave/pubs.html.[/url]
[Caralli 04a] Caralli, Richard et al. "The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management" (CMU/SEI-2004-TR-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004. Available at [url]http://www.cert.org/archive/pdf/04tr010.pdf.[/url]
[Caralli 04b] Caralli, Richard et al. "Managing for Enterprise Security." CMU/SEI Technical Note, Draft under development. Software Engineering Institute, Carnegie Mellon University, 2004.
[COSO 04] The Committee of Sponsoring Organizations of the Treadway Commission. "Enterprise Risk Management - Integrated Framework." September 2004. The executive summary and ordering information is available at [url]http://www.coso.org.[/url]
[Sherwood 03] Sherwood, John; Clark; Andrew; Lynas, David. "Systems and Business Security Architecture." SABSA Limited, 17 September 2003. Available at [url]http://www.alctraining.com.au/pdf/SABSA_White_Paper.pdf[/url]
页:
[1]