A Model for Information Security Assurance

July 16, 2008

Information Security is a complex field and when it comes time to evaluate third parties and/or undertake due diligence during merger and acquisition activities, a lot of time and effort is involved.

Most organisations will start by deploying a questionnaire and its length will vary depending on the fastidiousness of the organisation. The bottom-up approach is to request a vulnerability assessment.

There are many existing standards for providing assurance in Information Security and this model attempts to bring some together to provide a sanity check of the core components addressed by a sample of these standards.

A more in depth compliance statements or reports related to internal control should support this model, such as an ISO 27001 Certificate of Compliance, a SAS 70 Type II Report and/or a SOX 404 Assessment.

Demonstrating compliance to open standards that represent significant parts of an information security programme should start to reduce, but unfortunately will not eliminate, the need for the relentless questionnaires.

The model introduces the concept of grading each component.  You may make risk based assessments of deviations from business requirements and choose to increase the assurance in one area to mitigate weaknesses in another:

1. Little or No Confidence/Assurance
2. Some Confidence/Assurance
3. Reasonable Confidence/Assurance
4. High Confidence/Assurance

Identity Proofing

1. A single identity assertion is provided e.g. date of birth
2. Controlled identity assertion and the individual is notified
3. Use of an identity proofing service to catch exceptions
4. Use of an identity proofing service to verify all assertions

More Info: Liberty Alliance and blog post on Identity Management

Authentication

1. Reference to a single identity assertion i.e. not a secret
2. One factor authentication e.g. password
3. Multi factor authentication e.g. two factor token
4. Cryptographic token that binds identity to transaction

More Info: Liberty Alliance and Initiative for Open AuTHentication (OATH)

Access Control

1. Users are directly assigned resources
2. Users are assigned multiple IT Groups e.g. for each application
3. Users are assigned Business Roles that contain multiple IT Groups
4. Role hierarchy enforces system rules e.g. Segregation of Duties

More Info: US National Institute of Standard and Technology (NIST) and blog post on Role Based Access Control

Encryption

1. Encoding e.g. not readily readable but easily translated
2. Proprietary algorithm e.g. not independently evaluated
3. Standard algorithm & protocol e.g. AES/DES3/SHA/MD5 & SMIME/SSL/SSH
4. Independently evaluated e.g. Common Criteria or industry program

More Info: Common Criteria (CC)

Audit/Event Management

1. Application based logging
2. Centralised logging
3. Correlation and alerts/reporting
4. Active remediation

More Info: No standards yet (?) - Watch this space and in the mean time read blog posts on Information Security programme scorecards, metrics and SEM.