Human Element of Info Risk ManagementContinuous Monitoring, Education Seen as Critical
"At State, we implemented a continuous-monitoring program for people," George Moore, who joined the State Department in 2006 as chief computer scientist. says in a panel discussion moderated by Information Security Media Group's Eric Chabrow (transcript below). State's program includes daily security tips that are sent out to employees who are then quizzed on the information provided.
For Rebecca Herold, principal at privacy and compliance consultancy Rebecca Herold and Associates, most incidents, including data breaches, come down to the failures of humans, often due to a lack of awareness. "That's something that organizations need to make sure that they have the documented policies and procedures in place that address the risk," she says.
It's essential for organizations to implement continuous monitoring of people and technology. "Ongoing monitoring ... is really a response to the changing threat environment and the need for organizations to implement stronger controls in response to the capabilities of ... adversaries," says John Carlson, executive vice president of BITS with oversight of the organization's cybersecurity and fraud prevention initiatives.
In the first of a two-part presentation of the roundtable, the panelists discussed:
- Implementing continuous monitoring programs;
- Managing risk of widespread use of mobile technology;
- Handling the human element of information risk management.
The fourth panelist is Ron Ross, chief author of the National Institute of Standards and Technology's security controls guidance, who leads the NIST's Federal Information Security Management Act compliance team.
Information Risk Management
ERIC CHABROW: Ron, what do you see are the hot issues of information risk management today?
RON ROSS: There are some clear trends emerging in the cybersecurity risk-management field that have been going on now for the past year or two. Certainly the one that comes to the top of the stack is the movement from the federal government and our contractors to more of the continuous-monitoring view of cybersecurity and risk management. We're transitioning from what used to be more of a static process to include our old certification and accreditation process, and we're now using automation and other techniques to understand what's the security state of our systems on an ongoing basis so we can respond better to some of the very sophisticated cyber attacks that are currently ongoing on our federal information systems, as well as those systems in the private sector.
CHABROW: George, do you want to take a stab at that?
GEORGE MOORE: I think Ron hit that on the head. Our job at State is to try to find ways to implement that continuous monitoring and provide the right balance between coverage of all of the controls and timeliness of the testing to create an effective response. But in general, what we have to do is identify what we want the desired state of the system to be, what the actual state is, what the differences are and then find ways to motivate people to bring the actual state more in-line with the desired state.
CHABROW: John, are you seeing something similar in the financial-services sector?
JOHN CARLSON: I think that the wrinkle with the financial-services sector is that we have to continuously balance convenience, access and cost in the risk-management environment. Again, our firms, financial institutions, are providing products and services to customers in a constantly-evolving risk environment, plus there is the added addition of new technologies that are constantly being introduced into the environment to make that interaction more convenient, faster or a lower cost, so we're seeing a lot of new challenges with respect to implementation of mobile computing, the continuous issues we've had for many years with malware and the advanced persistent threats in terms of looking at some of the new threat environments, and certainly, last but not least, is the fairly extensive regulatory environment that the financial-services industry has had in place and has accelerated in recent years in response to the financial crisis from several years ago.
Healthcare Info Risk
CHABROW: Rebecca, there's a perception among some that maybe the healthcare field is not as advanced as government and financial services. Are these the same problems or are there more fundamental problems when it comes to information risk assessment among the healthcare providers?
REBECCA HEROLD: The problems go across all industries. When you think about it and look back, you used to come from an area where you had all your data in a centralized area and you had the dumb terminals that were not capable of storing data. Now, we have literally every day, almost, new technologies being introduced. We have more people handling the data at the endpoints and it's proliferating. We're having new types of storage areas, new types of endpoints all the time. We have new types of services that are involving, increasingly more, outsourcing, so we have many more entities than ever before that are getting access to data that you used to have in one little area, or one isolated area, that had a huge amount of storage.
Now you have data in many different places, so when you're looking at the risk, of course the risks have multiplied dramatically because there are more areas for risk that exist now. With regard to healthcare, you're talking about an environment, especially with healthcare providers, where you have a much different type of risk than you have in other types of industries. Of course, every industry has its own unique challenges, but when you're talking about securing data in a hospital, you're talking about having data that's out there and you have patients that also might have access, you have visitors that might have access. When I hear or see written that healthcare is coming way behind, I don't necessarily agree with that. I think the healthcare industry - particularly in the provider area - they just have some unique challenges that some other types of industries don't have. Now certainly, they need to address them, but I wouldn't say they care less about risk. In fact, all the providers I've talked to truly do care about it; they're just trying to keep up with all these new challenges that they face.
Newer Areas of Risk
CHABROW: Rebecca, you mentioned that there were more areas of risk, and maybe this question could be for all of you. What are some of these newer areas, if there are newer areas, of risk? Is it something that's fundamentally changing about the way people look at information as it deals with their organizations, or is it just more things happening?
ROSS: Let me jump in on that one. I wanted to dovetail on what Rebecca talked about earlier. One of the risks that we talk about in our new 800-39 publication, the enterprise-wide risk management, is the notion of complexity, and Rebecca was talking about the vast amounts of data that we have now being distributed across these multiple data centers with cloud computing and all the new things that are going on - mobile - and one of the questions I had for George, John and Rebecca is: How are your organizations handling this complexity? Because we actually see this as being fairly debilitating with regard to implementing good cybersecurity programs, and one of the things we're trying to do is get a handle through enterprise architecture and some of our good developmental techniques to kind of reduce the amount of complexity so our cybersecurity professionals can have a better opportunity to defend what we do have, and I just wanted to get your thoughts on that.
CARLSON: At least within the financial services sector, it really begins with a look at corporate governance structures and making sure you have the right means for managing these risks. I think the next level really has to do with making sure you're structuring the right types of collaboration in order to solve the problems, and closely related to that collaborative point is the need to have strong supplier-risk programs, because increasingly, you're relying upon many different partners to deliver the products and services, either behind the scenes, at the back-end, or increasingly, as one of the other speakers mentioned, from the device manufacturers that the consumer owns - that the bank doesn't own, but the consumer owns. We found some of the work that BITS has gotten involved in has been trying to structure those collaborations with other parties to try to solve some difficult problems. Oftentimes, that involves working with government agencies, whether it's the law-enforcement agencies, and some work that we had done on account-takeover problems that we were seeing, particularly with commercial account customers, led to an extensive amount of collaboration with merchants, with law enforcement, financial institutions and others to try to get a better handle on that problem. You really have to look at it as there's not a "one size fits all" solution, but a framework, at least for our sector, that's built upon risk management and trying to continue to provide the products and services in a way that's going to be cost-effective.
ROSS: Rebecca made the point that she felt that the health sector was more complex because the information is out there with the patients and the providers on the front lines, but if you're doing financial transactions over mobile phones and people are doing them over the Internet and point-of-sale terminals throughout the world, and at ATM machines throughout the world, isn't that more complex and more out there with the public perhaps than even the health sector?
CARLSON: I really cannot comment on comparing health versus financial services. I think they both have significant challenges with respect to access to information and protecting that information, both in storage as well as in transit. There's a huge chain that has to be involved and people that have to be provided with the authority to access information based on a need to know, as well as compliance with numerous privacy requirements, so I think the challenges are pretty significant in both sectors. In the financial-services industry, I think one of the things that's probably significantly different is the fact that we've had pretty robust regulatory requirements around security and data protection over many, many years. Some of those even date to an earlier time in terms of oversight of third-party providers that actually goes back to some regulatory requirements from the 1960s, so you have this long tradition within financial services around ensuring strong data controls, both behind the scenes as well as interactions with the customer.
HEROLD: Well, if I can address the mobile-computing aspect, I think a lot of people may not realize that in healthcare, mobile computing is very widespread, and in fact, there are hundreds, if not thousands, of apps right now being promoted to doctors and nurses and other types of caregivers. There are all sorts of cloud-computing services for healthcare providers, not to mention the insurers. The mobile-computing risks are pretty significant with healthcare, in addition to all of these other things. And I would like to say I do agree that that framework has to be very strong, and I would like to say there are three areas where I've seen over the years - some very vulnerable areas in most organizations. Now, number one, oftentimes organizations like to look at this as a technical problem only, but in most of the breaches that I've seen and helped with, it really comes down to human failings or human lack of awareness, so that's something that organizations need to make sure that they have the documented policies and procedures in place that address the risk.
But then not only do they have them, they have to have regular training and ongoing awareness because if your folks who are handling the information don't know what the policies are, don't know what the procedures are to follow, then how can you expect that they're going to be effective? You need that ongoing education in place, and that's lacking a lot of times, so that really is a risk factor.
Then for the third thing, it's sharing with so many other business partners now, and oftentimes, organizations think that if they address their business-associate risk within their contracts, they don't have to worry about things, but you really do need to have ongoing monitoring of those business partners that you've given access to, you've entrusted with your data, so that's something that I've been working on a lot, creating some ongoing monitoring tools to help have oversight for these types of business associates.
CHABROW: You make reference, Rebecca, to ongoing monitoring. Can you all address perhaps this ongoing monitoring of the people, as well as the continuous monitoring of systems and how that sort of jibes?
MOORE: At State, we implemented a continuous-monitoring program for people before we did it, or about the same time we did it, with technology. We call it Security Tips of the Day, and basically, every time someone logs in, at either a U.S. agency for international development or State, they receive a sound byte of security information and are quizzed on it once a day. Normally, those questions are sort of routine, procedural things, like Rebecca was talking about, but if there's an emerging threat, we have the ability to push out the same content to everybody in the organization within about 24 hours to let them know of emerging threats or that there are things that are seasonal or timely information. But that's incredibly important and how our system works mostly at the general-awareness level, but one needs the same kind of training for people who have special security roles as well.
CARLSON: I would further add to that. The theme of ongoing monitoring is really critical in financial services, as many of us go through our holiday shopping this time of year. Any time you use your credit card at an unusual supplier or unusual kind of chain of transactions, it will oftentimes trigger some sort of security or anti-fraud measure, that sometimes will escalate to the point where the credit-card company will actually call you to verify to make sure those transactions are legitimate. And so you see that at the retail level in terms of looking at trends, at fraud, that may be suspicious. You certainly have the requirements for financial institutions to know their customers; that's imbedded in a number of different regulatory requirements. Probably the most significant was the U.S.A. Patriot Act around trying to detect anti-terrorism or anti-money-laundering type activities.
And then last are authentication requirements, which have been the focus of financial regulators on a number of different occasions over the last decade in terms of constantly ratcheting up the requirements for online authentication, particularly in light of the changing risk environment. The ongoing monitoring, to my mind, is really a response to the changing threat environment and the need for organizations to implement stronger controls in response to the capabilities of either adversaries - whether they're foreign governments, whether they're fraudsters, whether they're in the United States or, increasingly, overseas - and those are all very important controls in the security space.
ROSS: I wanted to touch on what both George and John talked about. I was glad to hear at the State Department they were focusing on the people part of the problem, too, as well as the technology part. That's really a critical aspect of continuous monitoring, as Rebecca indicated earlier. Our publication, the brand-new one that just came out on continuous monitoring - 800-137 - we talk a lot about monitoring what we call the three tiers of risk management, to include tier one, which is the governance and kind of where the risk-management strategy is formed at the organization level, down through tier two, which is where the enterprise architecture is developed, and then at tier three - as George talked about - a lot of the work at the State Department now, at the system level, making sure that the automated monitoring of controls occurs.
But there's an awful lot of monitoring that goes on beyond the technical side, as everyone's talked about, so understanding the current threats base, and having things like the organization governances set up and things like the enterprise architecture, how all of that is unfolding, we can learn a lot by having risk-aware processes that allow us to take the information that we get from the threat data and then use that to actually re-engineer certain missions or business processes that are more susceptible to cyber attacks, and with that, possibly modifying enterprise architecture, so the systems that we produce at tier three are a lot more defensible, they're more resilient to the cyber attacks. That necessarily can't always happen when you're only working at the tier-three level.
HEROLD: I'd like to offer that I think all of those things are excellent and definitely needed. To just give an example, some of the things that I've been doing - I mentioned all of those audits I did - what I found was that in almost all of the small organizations and most of the medium organizations, a big problem is the fact that they don't have anyone on staff that knows anything about security, privacy or compliance, or they have someone who's doing it that really isn't doing it to the level that's necessary.
What I'm doing with my service's system that I've created is actually creating this governance program that you talked about, where basically the system has the policies, procedures and, based upon what I learned in creating security and privacy-management programs, all the tasks that I need to do like a work plan. Basically, we have oversight over the small and medium businesses and as they're going through and modifying and customizing their policies and procedures and performing the tasks, this system tracks it all, and it logs all the changes and it requires that they get approval of an expert in security and privacy of their policies and procedures.
Then, what's really nice is, if they ever need to be audited by their business partner or by someone who's coming in for a regulatory review, all of this documentation - including their policies, procedures, ongoing tasks, where they say exactly what they've done with regard to security and privacy and risk management as one of those things - is right there, so they can give read-only access to an auditor so they can look at all of this documentation. I think that really helps them to understand what they need to do better, and it helps to make it much more transparent to anyone who's reviewing their program, so they can see exactly what's going on with regard to their risk-management program.
MOORE: That sort of system for the governance level is very valuable. One of the issues with continuous monitoring in a medium or large-sized organization is the huge volume of data that it produces. I'm sure John has dealt with incidents in the financial sector, and he gave you a good example when he said that some of these indicators of fraud raise things up to one level, others raise them to another and others raise them to a level where they call you to find out if it's an issue of fraud. In any kind of continuous-monitoring program, it's essential to have something that automatically analyzes the risk, not requiring a human to do it so much, and pops the larger problems to the top so that they can be dealt with first, and that's really a critical part of these systems.