The 10 Deadly Sins of Information Security Management

Prof Basie von Solms

RAU-Standard Bank Academy for Information Technology
Rand Afrikaans University
Johannesburg
South Africa

Prof Rossouw von Solms

Faculty for Computer Studies
PE Technikon
Port Elizabeth
South Africa

Key Words: Information Security, Information Security Management, Information Security

Governance

Abstract

This paper identifies 10 essential aspects, which, if not taken into account in an
Information Security Governance Plan, will surely cause the Plan to fail, or at
least, cause serious flaws in the Plan. These 10 aspects can be used as a
checklist by management to ensure that a comprehensive Plan has been defined
and introduced.
1. Introduction

This paper is based on years of experience in teaching information security to a

wide audience, as well as on Information Security consultancy projects in many
companies. The paper identifies the 10 most important aspects - called the
Deadly Sins of Information Security - which result in companies experiencing
severe problems in implementing a successful comprehensive Information
Security Plan within the company.

All 10 these aspects are essential to take into account when implementing such
an Information Security Plan in a company, or to be evaluated when an existing
Information Security Plan seems to be having problems in being really effective.
From experience, if even one of these aspects is ignored, or not properly taken
into account, serious problems in introducing and maintaining a proper
Information Security Plan in a company will surely arise.

The paper will briefly discuss each of these aspects or sins, providing some
motivation why their absence from any plan will cause information security
related problems.

The paper ends with a tick list which Information Security Managers can use to
evaluate the presence/absence of these aspects from their Information Security
Plan.

2. The 10 Deadly Sins of Information Security

These sins are introduced below, and discussed individually in the subsequent
paragraphs.

Sin Number:

1. Not realizing that Information Security is a Corporate Governance

responsibility (The buck stops right at the top)

2. Not realizing that Information Security is a business issue and not a

technical issue

3. Not realizing the fact that Information Security Governance is a multi-

dimensional discipline (Information Security Governance is a complex
issue, and there is no silver bullet or single off the shelf solution)

4. Not realizing that an Information Security Plan must be based on identified

risks
 5. Not realizing (and leveraging) the important role of international Best
Practices for Information Security Management

6. Not realizing that a Corporate Information Security Policy is absolutely

essential

7. Not realizing that Information Security Compliance enforcement and

monitoring is absolutely essential

8. Not realizing that a proper Information Security Governance structure

(organization) is absolutely essential

9. Not realizing the core importance of Information Security Awareness

amongst users

10. Not empowering Information Security Managers with the infrastructure,

tools and supporting mechanisms to properly perform their responsibilities

2.1 Sin Number 1

Not realizing that Information Security is a Corporate Governance

responsibility (The buck stops right at the top, and there are legal
consequences)

The realization that Information Security Governance is an essential and integral

part of Corporate Governance has grown specifically in the last few years. The
driving force has been several documents on Corporate Governance which have
appeared recently, for eg the King II Report in South Africa [King] and ISACAs
Control Objectives for Information and Related Technologies [COBIT].

Other papers emphasizing this integration of Information Security with Corporate

Governance have also appeared, for example [von Solms].

These documents have been supported by a growing set of laws and legal
requirements which have appeared internationally, specifically related to the
privacy of customer, client and patient data. Some examples of such laws and
legal requirements are the ECT Act in SA [ECT] and the HIPAA Act [HIPAA] in the
USA.

The implication of these developments are that the Board of Directors as well as
top management, have a direct corporate governance responsibility towards
ensuring that all the information assets of the company are secure, and that due
care and due diligence has been taken to maintain such security. Compromised
company information assets can have serious financial and legal implications for
a company, and Executive Management can be held personally liable in some
cases.

Further, it is responsibility of Executive Management to extensively report on the

protection of information assets to the Board of the company.

Consequences of committing this sin:

Executive Management are not performing and exercising the due care and due
diligence expected by them, and may open themselves up to serious personal
and corporate liabilities.

2.2 Sin Number 2

Not realizing that the protection of Information is a business issue and not
a technical issue

This sin is closely related to the one discussed above, but is highlighted on its
own, because it does provide another dimension to the problem. Information
Security related problems in a company cannot be solved by technical means
alone. The sooner the management of a company grasps this fact, the sooner
they will apply due care.

Unfortunately, in many cases, Executive Management in companies still think

that technology is all that is required, and therefore delegates or downgrades
the issue to the technical departments, and conveniently forgets about it.

Without the proper, direct and continuous support of such Executive

Management, as well as acting as examples of information security
consciousness and awareness, the information security problem will not receive
due care be addressed satisfactorily.

Consequences of committing this sin:

Technology will be thrown at the information security problem, without resulting in

a total, comprehensive solution. This might also result in money wasted.

2.3 Sin Number 3

Not realizing the fact that Information Security Governance is a

multi-dimensional discipline

This sin is again closely related to the one discussed above, but again is
significant enough to be mentioned on its own.
Information Security is a multi-dimensional discipline, and all dimensions must be
taken into account to ensure a proper and secure environment for a companys
information assets.

The following dimensions of information security are clearly identifiable - some

direct from published literature, and others indirectly from speaking to information
security managers. The list of dimensions below is not necessarily complete,
because the dynamic nature of information security prevents any such
delineation. Some of the dimensions may overlap in terms of its content.
However, the number of and precise content of dimensions are not the most
important factor - the fact that there are different dimensions, and that they must
collectively contribute towards a secure environment, is important.

The following dimensions can be identified without much difficulty :

* The Corporate Governance Dimension

* The Organisational Dimension
* The Policy Dimension
* The Best Practice Dimension
* The Ethical Dimension
* The Certification Dimension
* The Legal dimension
* The Insurance Dimension
* The Personnel/Human Dimension
* The Awareness Dimension
* The Technical Dimension
* The Measurement/Metrics (Compliance monitoring/Real time IT audit)
Dimension
* The Audit Dimension

From this list, it is clear that most of these dimensions are of a non-technical
nature, which links to the previous discussed sin.

All these dimensions must be taken into account in designing and creating a
comprehensive information security plan for a company, because no single
dimension, or product or tool on its own will provide a proper all inclusive
solution.

Consequences in committing this sin:

A lop sided information security solution will be implemented, which will results
in frustration as further dimensions will continuously need to be added to the
solution.
2.4 Sin Number 4

Not realizing that an Information Security Plan must be based on identified

risks

The purpose of information security is to provide measures to mitigate the risks

associated with the companys information resources. However, if the company is
not very clear on precisely what the potential threats are as well as what assets
they are protecting, they may basically be shooting in the dark, and spending
money protecting themselves against threats which have a very low probability of
occurring, and ignoring others which have a very large impact once they occur.

It is therefore essential that a company must base its Information Security Plan
on some type of Risk Analysis exercise. This can be a very formal, structured
and comprehensive exercise, or a more high-level oriented approach in
combination with international best practices. The authors, based on experience,
prefer the last approach.

However, whatever approach is taken, it must be possible to motivate all actions

taken, and all countermeasures suggested, in terms of some form of risk analysis
for that specific company.

Consequences of committing this sin:

The company may be spending money on risks which may not really be that
dangerous, and ignoring others which may be extremely serious.

2.5 Sin Number 5

Not realizing (and leveraging) the important role of international Best

Practices for Information Security Governance

The typical questions the Information Security Manager (ISM) needs and wants
answers to, include:

Against which risks must the information resources be protected?

What set of countermeasures will provide the best protection against
these risks?

These questions are very important, and must have receive answers, otherwise
the company may waste money on unnecessary or inefficient countermeasures.

Following international best practices for Information Security Governance, is

based on the concept of learning from the successful information security
experiences of others. The idea is that a large percentage of information security
threats, resulting risks, and selected countermeasures are the same for all
companies. If a large number of companies have documented their experiences
in this area, alongside the countermeasures they have selected for the possible
risks, why do a comprehensive risk analysis to probably arrive at the same
result? rather use these documented experiences directly.

Why redo what others have done already?

Why re-invent the wheel for well-established environments?
Learn from and apply their experience!
The 'bread and butter' aspects of information security are the same in
most IT environments.

This is precisely what following a best practice means.

An International Best Practice (Code of Practice for Information) for Information

Security Management
normally documents the
knowledge of a group of people (companies)
as far as their experience with information
security management is concerned.
It therefore reflects the practices and
experiences followed by the relevant people
in managing information security
The challenge to any Information Security Manager is therefore to do the right
things right. The question asked by many such Managers are : How do I know
what the right things are?
If it can be determined what the rights things are, how do you know you are doing
it right.

Information Security is not a new aspect of IT. Many people and many companies
have struggled with information security over many years. In this process, they
have found out what are the right things, and how to do them right.
They have therefore determined from experience what best practices are
required and how to implement them effectively.

This experience had been documented in a wide set of documents, basically

referred to as Standards and Guidelines. These documents are available to new
Information Security Managers, and should be used.

They can be seen as the consensus of experts in the field of information security,
and generally provide an internationally accepted framework on which to base
Information Security Governance and Management.

Nobody needs to re-invent the information security wheel. This wheel has been
developed, it is documented and should be used as such.
This does not necessarily mean that if these best practices are followed strictly
that no security incidents will occur. That is of course not true, but at least an
Information Security Manager, and the top management of companies know that
they are proving their due care and due diligence by following the advice of
experts.

Examples of leading Best Practices in the area of Information Security are

[ISO17799] and [ISF].

Consequences of committing this sin:

Unnecessary time and money is wasted to arrive at a solution which had, most
probably, already been documented.

2.6 Sin Number 6

Not realizing that a Corporate Information Security Policy is absolutely

essential

All international best practices for information security management stress the
fact that a proper Corporate Information Security Policy is the heart and basis of
any successful Information Security Management Plan.

Such a Policy is the starting point and reference framework on which all other
information security sub-policies, procedures and standards must be based.

Such a Policy must be short (3 to 4 pages), and signed by the CEO, showing
Executive Managements commitment and buy-in towards all information security
aspects. This is the most visible way in which Executive Management shows
their commitment towards information security in the company.

Consequences of committing this sin:

All Information Security projects and efforts in the company will have no
anchoring point and proof of high level commitment, and will not be floundering
around without really making progress.

2.7 Sin Number 7

Not realizing that Information Security Compliance enforcement and

monitoring is absolutely essential
It is no use having a perfect Corporate Information Security Policy, with a
comprehensive set of supporting sub-policies, conforming to international best
practices, if it is not possible to monitor and enforce compliance to such policies.

Un-enforced policies breeds contempt is a slogan which should be heeded.

Any Information Security Manager should be empowered through technical and

non-technical measurement tools to be able to monitor compliance to relevant
information security policies, and act if any discrepancies appear.

Such monitoring and measurement tools must also not be built and dependant
on annual or bi-annual internal audit reports nobody can anymore afford to find
out after 6 months that a fired employee still have access rights to the system.
Such tools must be real time and provide real time monitoring and reporting.

You can only manage that which you can measure is directly related to this sin.

Consequences of committing this sin:

A false sense of security may exist and be cultivated because we have all the
necessary policies in place, without realizing that these policies may not being
complied with.

2.8. Sin Number 8

Not realizing that a proper Information Security Governance structure

(organization) is absolutely essential

It is essential that a company must have a proper information security

organizational structure to make an information security governance plan
successful.

Such a structure has to do with the way in which information security is organised
and structured in a company. The importance of such structures is stressed by
several Codes of Best Practice for Information Security Management, which all
states that the existence of a proper organisational structure, including some type
of Information Security Forum, is essential for successful information security
implementations. This dimension not only refers to the organisational structure
itself, but also to aspects like information security related job responsibilities,
communication between information security related roles and the involvement of
top management with information security. It also includes clarity on what
aspects of information security management are to be centralized, what aspects
are to be decentralized as well as where the compliance monitoring and
enforcement capability will reside (should never be part of the IT Department
itself).
Consequences of committing this sin:

Everything related to and involving information security is automatically referred

to the (single) Information Security Manager, who really is not the owner of any
information, just the custodian.

If information owners are not clearly defined, and held responsible for the
security of the information under their control, severe risks do arise.

Accountability for information security must be shared by all employees, and not
only the Information Security Manager. This accountability must be spelled out
clearly, and cemented into proper organizational structures.

2.9 Sin Number 9

Not realizing the core importance of Information Security Awareness

amongst users

Although this sin is so apparent is needs no discussion, it is still one committed

by many companies.

No proper awareness programs exist, and users are unaware of the risks of
using the companys IT infrastructure, and the potential damage they can cause.
Furthermore they are often not even aware of the Information Security Policies,
Procedures and Standards existing in the company.

Users cannot be held responsible for security problems if they are not told what
such security problems are what they should do to prevent them.

In many cases it is realized that money spent on comprehensive User

Information Security Awareness programs is some of the best money spent on
information security.

Consequences of committing this sin:

Many information security related intensions will fail to materialize if users are not
properly educated in this regard.

2.10 Sin Number 10

Not empowering Information Security Managers with the infrastructure,

tools and supporting mechanisms to properly perform their responsibilities
This sin is closely related to Sins number 7 and 8 above, but is so important that
it warrants it be listed separately.

Very often, Executive Management appoints an Information Security Manager,

and expects such a person to do everything alone.
This is not possible, because of the complexity and multi-dimensionality of
information security. Understanding and deliberately trying to prevent the sins
discussed above, will go a long way in preventing this one.

Consequences of committing this sin:

Information Security Managers realize soon that they cannot do their job
properly, and either move on, or move out of information security. This opens the
company up to severe risks because no continuity exists as well as the fact that
the security plan never gets fully implemented.

3. Conclusion

Creating and implementing a proper information security program is not

necessarily rocket science - most of the important components that should be
part of such a program are basically common sense. However, very often these
common sense issues are ignored because there is a lack of understanding and
realizing how essential they are.

This paper attempted to put all these essential components into place.

The following Tick List can be used to evaluate your companys Information
Security Plan in terms of the 10 Deadly Sins discussed above.

Our companys Information Security Plan fully takes into account that:

Information Security is a Corporate Governance responsibility (The buck stops YES NO

right at the top)
Information is a business and not a technical problem YES NO
Information Security Governance is a multi-dimensional discipline (Information YES NO
Security Governance is a complex issue, and there is no silver bullet or single off
the shelf solution)
Information Security Plan must be based on proper Risk Analysis YES NO
International Best Practices for Information Security Governance drives our Plan YES NO
A Corporate Information Security Policy is absolutely essential YES NO
Information Security Compliance enforcement and monitoring is absolutely YES NO
essential
A proper Information Security Governance structure (organization) is absolutely YES NO
essential
Information Security Awareness amongst users is core to the success of our plan YES NO
Our Information Security Manager is empowered with the infrastructure, tools and YES NO
supporting mechanisms to properly perform his/her responsibilities
If the answer to any of the above is NO, serious attention must be given to
revisit and re-evaluate that aspect, as well as the complete Information
Security Governance Plan.
References

[COBIT] : www.isaca.org
[ECT] : www.doc.gov.za
[HIPAA] : www.hhs.gov/ocr/hipaa
[ISO17799] : www.iso.ch
[ISF] : www.isfsecuritystandard.com
[King] : www.iodsa.co.za
[von Solms] : von Solms SH, Corporate Governance and Information Security,
Computers and Security, 20, 2001, pp215-218