The Hindu Business Line : A new view of security

This logic, which takes recourse to some crunching of numbers, is now being extended to the art and science of managing information security to enable business.

How does one use `metrics' (numbers), which are basically performance indicators, for information security management? The answer is ISM3 (pronounced ISM Cubed). ISM3 stands for Information Security Management Maturity Model - and is quick to prompt comparisons with the Capability Maturity Model (CMM) for software.

ISM3 is the brainchild of Vicente Aceituno Canal, who is based in Spain. He started writing ISM3 in 1999 after learning that existing information security approaches focused only on telling the practitioner, `What to do?'

ISM3 is written to answer not just this question but also `how to go about doing it' and `assess how good you are at it.'

Out of this flowed the concept of a "process-oriented approach" where each process would be measured by way of using metrics to determine efficiency. An Indian partner, Anup Narayanan of First Legion Consulting based in Bangalore, assisted Vicente with his pioneering work.

According to Narayanan, the ISM3 community is abuzz with excitement after the formation of an international ISM3 consortium based in Madrid, Spain. The founding members of the consortium are drawn from the US, Canada, Spain, Colombia and Scotland, besides India (First Legion Consulting).

eWorld spoke to Vicente on his team's initiative. Excerpts from the chat:

The following activities are essential to an information security management system (ISMS) framework. How does ISM3 differ in approach while addressing these?

Hiring and termination of employees in an organisation.

The main difference between ISM3 and other approaches is the level of detailing used to describe these activities. ISM3 specifies the processes for hiring as well as for terminating (on disciplinary grounds) explaining what they aim to achieve, how they contribute to realising the larger goals of the ISMS and of the company, what the expected outcomes are, how to measure them and how they compare with relevant standards for HR management, as in P-CMM.

The increased level of detailing leaves companies in a far better position with regard to implementing processes that are integrated both in the ISMS framework as well as the HR practices.

Information sharing with contractors, vendors, subsidiaries and partners.

Unlike other approaches, ISM3 sees information security as resulting from the achievement of businesses goals regardless of accidents, attacks and errors. For this reason, information sharing is not seen as a risk that should be prevented, but as a business need that has to be regulated.

Sharing of information with the concerned satisfies a business need, but gains would be limited given the need to comply with laws pertaining to securing personal data, for instance. ISM3 lets you quantify these needs and limitations in such a way as to define the success of your ISMS in terms of achievement of these goals, among others.

ISMS certification would be the way ahead for Indian BPOs to establish trust relationships with their overseas clients. ISM3 can play an important role in this field, since it will enable companies to make their partners realise that not only has a standard been followed, but also on the extent to which they have sought to protect the information the partners share with them.

Design and architecture of an enterprise network.

The differentiator here is the management focus of ISM3. Architecture can't be separated from management responsibility. You just can't expect a manager and a team to use wildly different kinds of protection for every single item under their responsibility. For this reason, the basic building block considered by ISM3 is the "environment" — this refers to all systems under the same management responsibility but falling within prescribed borders.

ISM3 processes are applied to environments, not individual systems nor even whole companies. This simplifies day-to-day work, and helps customise processes to the business needs of the environment. It doesn't make sense to expect the same kind of protection in a production environment and in a development environment, or even among different countries with different Internet exposures.

Characterisation of plausible threats and key assets that are to be protected.

ISM3 takes a holistic approach to threats. Threats are not just attacks, or people trying to sabotage your systems. Threats are anything that can prevent your business goals from being realised, like errors and accidents. A badly designed interface that doesn't prevent an operator from making a fatal error is seen as a threat (pilots are prevented from attempting dangerous manoeuvres with their planes, for instance). Hardware failures, which are unintentional, are seen as a threat too.

Key environments are easier to identify and to protect than are key assets, and this approach is expected to suit best the needs of the complex information systems used these days. A key environment is that where the systems supporting your businesses' goals are located.

The intent of malicious activity is shifting away from notoriety towards profit. As a standard, does ISM3 have any security framework to address this?

ISM3 is focused on management. This means that it is not concerned with variables that are both `unknowable' and `unactionable.' It is obvious that the more the resources available to attackers and the more willing they are to use them against a company, the more the resources the company would need to deploy for protecting itself.

But, let's face reality. In the corporate sector, you will find that only certain kinds of companies face focused attacks and bribes, for instance, the online casinos. Do they model attackers? No, they just seek to protect themselves to their possible best with available resources. This is exactly the approach of ISM3 - enabling companies to get the best possible protection from the resources available for information security.

More than 41 per cent of IS budgets is spent on personnel, including salaries and benefits, and education and training. Will ISM3 help manage resources for information security management?

The way ISM3 managers can do this is by using metrics. The CEO will be able to know not merely whether the ISMS is compliant (certified), but also whether it is successful. This will help CEOs make decisions about changing the objectives of the ISMS (the company's risk appetite) or tinkering with the level of investment in IS.

One other way ISM3 helps out with is enabling the outsourcing of IS processes. As outcomes and metrics are well defined, one can compare outsourcing services with in-source processes, and even enter into service level agreements (SLAs) with providers without having to reinvent the wheel every time.

The aim - achievable security

Unlike current information security standards, ISM3 is licensed under the `Creative Commons' licence, which means it can be freely downloaded and used. The standard is available from www.ism3.com, says Canal.

ISM3 uses a maturity-based model that divides information security management into five levels of maturity. An organisation may opt for a particular level based on the resources (money, time or people) that it has. It uses different models to help identify information flow and information assets in the organisation so the concerned practitioner will know exactly what to protect.

ISM3 divides information security management responsibilities into strategic, tactical and operational levels. Each level corresponds to the respective management level in the organisation — strategic management to people who authorise resources for information security; tactical management to those who oversee usage of resources; and operational to those who use the resources. It also provides an inventory of security processes that corresponds to each of these layers of management.

And this brings one to the crowning glory — each process getting linked to metrics, and the beauty of the standard revealing itself in predefined templates for all processes with metrics filled!, says Canal. The principal approach of ISM3 is `achievable security", which means security must be proportional to business needs. For instance, a graphic designing company may not really motivate executives if they were to have three different types of authentication before they have to log in, but a BPO with a bank as a customer may require it. Similarly, a start-up company may not be able to spend huge resources for security as against an MNC.

Does ISM3 provide for forward linkages to information risk management, business continuity/disaster recovery planning and forensics?

These are all different aspects of an IS management system at Level 5 of ISM3. Risk management is all about identifying threats and helping your ISMS evolve to reduce risk with the minimum cost. This is the TSP-12 process. Business continuity management is enshrined in OSP-15 and forensics in OSP-25. ISM3 links every ISMS process so you can check what outcomes are generated from each process being deployed as inputs for other processes. So, they are all linked, in a manner of speaking.

What is the level of compliance that ISM3 supports in relation to regulations such as the Sarbanes-Oxley and Basel II?

What ISM3 does do is to provide the foundation (Security in Context Model) for a business to use its working, compliance and technical needs and limitations for designing an ISMS around itself in an integrated manner. So all these aspects are not considered and managed separately. This is also an example of how the Security in Context Model is more useful than the erstwhile Confidentiality-Integrity-Availability triad.

vinson@thehindu.co.in