The following is an excerpt from Building a Practical Information Security Program by authors Jason Andress and Mark Leary and published by Syngress. This section from chapter 9 explores deploying information security compliance processes.
Organizations confronted with multiple regulatory requirements, as well as their own security policies, are often stretched about how to meet so many laws and regulations obligations. Some organizations allow information security compliance to be addressed by more than just the information security function. For example, they may allow the business units most directly affected by the regulatory requirement to perform their own compliance assessment in addition to the organizational compliance assessment and perhaps even a third Internal Audit assessment. As a result, efforts are often incomplete, redundant, duplicative, and even costly. In addition, these organizations may not have the rigor or discipline to execute an evidence-based audit and may simply “self-attest” to a state that is not reflected by reality. A piecemeal approach may also undermine the integration of information security compliance into other institutional compliance programs, such as information privacy and institutional governance. For example, a decentralized approach to information security compliance management could make it harder to monitor and report the controls that are increasingly a part of audits. For all of these reasons, organizations should consider a unified approach to meeting information security compliance. By using a unified approach to information security compliance, organizations subject to multiple information security laws, regulations, and guidelines will be able to comply with all of them at one time. This is commonly known as a “test once, comply many” approach. By determining which organizational policies, laws, and regulations are applicable, the compliance team then conducts a comprehensive compliance analysis that covers these multiple requirements, and then recommends the minimum level of required safeguards to meet these requirements. Where there are conflicting requirements, such as password strength, encryption strength, or audit settings, compliance should focus on the most stringent requirement as a “high water mark.”
Step 1: Determine Applicable Security Policies, Laws, and Regulations
The first step in the process is to determine the security policies, laws, and regulations applicable to the organization. This is an important preliminary step to set compliance’s scope. This determination not only will assist in preparing the compliance assessment plan but also will guide the compliance assessor in selecting the information to be collected and the type of compliance assessment methodology that should be performed. Identifying the appropriate requirements is not always a straightforward process. Depending on their activities and operations, organizations can be affected by a number of laws and regulations. In addition, some policies, laws, and regulations apply only to specific organizational departments or functional activities. In other cases, more than one requirement on the same control area or domain may be applicable. Once the applicable information security requirement law is determined, an appropriate information security risk or compliance analysis framework, such as International Organization for Standardization (ISO) 27004 or National Institute of Standards and Technology (NIST) 800-series, can be selected. It is often worth the effort to map these several requirements when the target of evaluation is governed by several information security framework requirements. For example, if the information system password authentication requirement for system access is six characters for one requirement, eight character for another, and eight characters and special characters for yet a third, it may be helpful for a single requirement (the most stringent) and evaluate the system accordingly.
The analysis model to be used will depend on the organizational type, applicable information security requirements, and information security framework aligned to both type and requirements. An example is a government agency that is aligned to NIST 800-series may require the compliance framework of NIST Special Publication 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems.” A second example is a commercial entity that is aligned to ISO 27000-series may find the ISO 27004 method of risk management more appropriate. Some helpful qualifying questions can be asked to determine the scope and focus of the compliance assessment:
- What is the type of organization (i.e., privately held, publically traded, government agency)?
- What type of industry or markets does the business participate in?
- What type of information is stored, processed, transmitted?
- What processes have legal or regulatory implications (i.e., does the organization provide health care service, process credit cards for payment purposes)?
Step 2: Prepare the Information Security Compliance Management Plan
After the information security compliance requirements are identified, a thorough compliance management plan is prepared by the compliance manager. This management plan is used to guide the individual compliance activities — number and type of compliance audits by business unit or entity, schedules of the compliance activities including senior leadership reviews, policy and supporting procedure and guideline updates, staffing mixes and training requirements for the conduct of audits, and any technology road maps for tools used during compliance audits. This is traditionally an annual process, adjusted periodically as schedules or resources become released or constrained.
Step 3: Data Collection and Asset Identification
Information gathering includes the identification of assets to be protected, document review, and interviews with both management and other stakeholders. The individuals who are interviewed may be line-of-business personnel, functional staff, senior management, legal counsel, audit and compliance personnel, and, of course, the IT staff. It may also involve vendors and other third parties, particularly if certain functions are outsourced but are in scope of the audit. The scope of the interviews will differ slightly, depending on the state, federal, and international laws and regulations that are applicable. The data collection process will review information security technical, operational, and risk management practices, processes, and procedures. Technical security reviews includes asset management, configuration management, security management, as well as assessment of IT architecture, application, and network policies. Operational security includes vulnerability management, patch management, incident management, business continuity/disaster recovery, and other operational service or functions. Risk management reviews cover policies and procedures, risk assessments, compliance audits, third-party security reviews, and other analytical functions in managing and governing IT security risk. It is also important to ensure that physical security is included to evaluate compliance for the protection of information security facilities. Evidence is collected through either manual or automated methods, mainly documentary, interviews, and automated collection through system or security tools. Documentary evidence include written policies and procedures, Internet policies and procedures, sanctions and disciplinary procedures, and other documents evidencing organizational efforts to protect information, such as contracts, procedures for assigning, modifying, or removing access rights, and password-management policies. Auditors will generally ask chief information officers, chief technology officers, and IT administrators a series of pointed questions over the course of an audit. Interviews are particularly helpful to elicit how the program is implemented and personal observations of its effectiveness.
Some important areas to cover during interviews are:
- the individual(s) responsible for information privacy and security (organizational and departmental levels);
- information assets that need to be protected to support the business and operations;
- how the information security program is structured; how compliance policies and procedures are implemented and integrated with other activities;
- how well departments work together to ensure that information security practices are uniform; which third parties have access to the institution’s information system.
IT administrators prepare for compliance audits using event log managers and robust change management software to allow tracking and documentation authentication and controls in IT systems. These tools’ output may include what users were added and when, who has left the company, whether user IDs were revoked and which IT administrators have access to critical systems. Beyond the common system management tools, the growing technological landscape of GRC software now enables the IT staff to quickly show auditors that the organization is in compliance.
Step 4: Perform Risk Analysis
In Step 4, the collected data are integrated into the selected risk analysis (e.g., organizational, ISO, or NIST frameworks). The quality and effectiveness of compliance risk analysis results will depend heavily on how much data were collected in Step 3. The compliance risk analysis includes technical, operational, and management security including organizational context and considerations.
Step 5: Report Findings and Recommendations
The results of the compliance risk analysis are then documented in an information security compliance audit report. The information security compliance audit report should list organizational context, identified threats and vulnerabilities, current controls, and control effectiveness or even absence. To ensure relevancy and due diligence, the information security compliance audit report should reference specific sections or paragraphs of the applicable security regulations for both existing and missing controls. The plan should encompass all the safeguards identified in the risk analysis and also include procedures for the selection of security system vendors or service providers, and the installation of security systems or services. To maximize the report’s effectiveness, the information security compliance audit report should also contain an action plan and milestone schedule for implementing the necessary changes to attain compliance with applicable laws and regulations.
Step 6: Execute the Implementation Plan
The implementation plan provided in the information security compliance audit report is executed in this step. At this stage of the compliance process, it is important to integrate all new controls for meeting information security compliance with other compliance efforts currently under way (e.g., financial, contracts, legal). The integration of compliance programs will ensure uniformity and consistency across the compliance activities, or at the very least avoid duplication of effort redundancy. For example, rationalization and harmonization of compliance activities to support information security regulations can potentially save time, money, and other resources and procedures.
Step 7: Periodically Monitor, Test, Review, and Modify the Information Security Compliance Management Program
Information security, as any IT activity, is an ongoing process. Maintaining a state of continuous compliance requires focused effort and coordination. Due to the changing technology landscape, information security functions should continuously monitor and test the effectiveness of implemented controls against known or potential threats. This involves testing applications and networks or applications against emerging threats and recommending actions when threats are present and vulnerabilities are discovered. Organizations that are accustomed to traditional approaches of information security compliance that focus primarily on annual audits may find it difficult to build in the people, processes, and technology necessary to support sustained compliance. Organizations should perform periodic compliance risk analysis to validate that control selection and implementation features continue to be reasonable, appropriate, and effective.
About the author:
Jason Andress (CISSP, ISSAP, CISM, GPEN) is a seasoned security professional with a depth of experience in both the academic and business worlds. Presently, he carries out information security oversight duties, performing penetration testing, risk assessment, and compliance functions to ensure that critical assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a doctorate in computer science, researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics.
Mark Leary has more than 30 years of experience in security management and technical intelligence holding several positions of responsibility in IT security management for government agencies and commercial firms. Mark currently is Vice President and Chief Information Security Officer for Xerox Corporation. Marks holds a Doctorate in Management, an MBA with a concentration in Project Management, Dual Masters in Security and IT Management, and several professional certifications (CISSP, CISM, CGIET, and PMP). He also serves as an Adjunct Professor for the University of Maryland and Industry Advisor to the Rochester Institute of Technology.
SHANGHAI/BEIJING Global security companies and their smaller Chinese rivals are jostling for business along Beijing’s modern-day “Silk Road”, the grandiose plan for land and sea routes connecting the world’s second largest economy with the rest of Asia and beyond.
Representing investments of hundreds of billions of dollars, the pet project of Chinese President Xi Jinping is seen boosting economic growth at home, and as positive for everything from steel prices to cement makers.
Security firms also expect to tap the rush, offering to protect thousands of Chinese workers – and the pipelines, roads, railways and power plants they build – as they fan out across the world under the “One Belt, One Road” (OBOR) initiative.
It won’t be easy, however, with executives warning that state-owned enterprises running or planning projects from Africa to Vietnam sometimes prefer to deal with fellow Chinese, treat safety as an afterthought and try to keep costs to a minimum.
“OBOR is a lifetime (of work) for us,” said John Jiang, managing director of Chinese Overseas Security Group (COSG).
The small consortium of security providers was set up early last year and operates in six countries: Pakistan, Turkey, Mozambique, Cambodia, Malaysia and Thailand.
“In eight years’ time, we want to run a business that can cover 50-60 countries, which fits with the One Belt One Road coverage,” Jiang told Reuters.
Chinese personnel are essentially barred under Chinese law, and that of many host nations they work in, from carrying or using weapons.
Instead, COSG and its rivals usually work with and train local staff and focus on logistics and planning.
In Pakistan, for example, where attacks by militants and separatist insurgents are considered a serious threat, COSG has a joint venture with a local security firm with links to Pakistan’s navy.
The Pakistani army also plans to provide 14-15,000 armed personnel dedicated to guarding Chinese projects, according to local media reports.
The $57 billion China-Pakistan Economic Corridor, the largest single project under the OBOR banner, envisages roads, railways, pipelines and power lines that link China’s western reaches with the Arabian Sea via Pakistan.
CHINESE VERSUS INTERNATIONAL
Major international security operators hope their scale and experience can convince China’s price-conscious state-owned giants to pay for foreign expertise.
Firms like Control Risks and G4S (GFS.L) offer staff with military backgrounds and decades of experience in risky regions around the world.
G4S said it had seen an acceleration of interest in its services since OBOR began gaining traction.
Michael Humphreys, a Shanghai-based partner at Control Risks, said around a third of the security consultancy’s work in China was related to OBOR.
Hong Kong-based logistics firm Frontier Services Group (0500.HK), co-founded by Erik Prince who created the U.S. military security services business Blackwater, announced in December it was shifting strategy to capitalize on OBOR.
It plans to set up an office in the southwestern province of Yunnan, which adjoins Southeast Asia, and another base in Xinjiang in China’s west, the starting point for the CPEC project crossing Pakistan.
Smaller Chinese firms like COSG, Shanghai-based Weldon Security and Dewei Security, meanwhile, see their advantage over multinationals in state-owned enterprises’ preference for hiring Chinese to handle sensitive projects.
Only a handful of the estimated 5,800 Chinese security companies operate overseas, with the vast majority focusing on the domestic market.
“For Chinese firms, especially with security work, they (state companies) want to speak with another Chinese person. We can also one hundred percent reflect their thinking when we work,” said Dewei general manager Hao Gang.
NO EASY SELL
Security risks facing Chinese workers abroad are varied and often unpredictable.
Yu Xuezhao, a former soldier working in Kenya for Dewei, is helping to train hundreds of local guards to protect Chinese contractors operating there, including oil giant Sinopec (600028.SS) and China Road and Bridge.
Africa, where China invested long before OBOR was formally created, is considered a part of the initiative.
“The most common incidents we encounter are thefts and strikes,” 27-year-old Yu said, speaking from a training compound in the Kenyan capital Nairobi he has managed since 2015. “We train security guards to inspect cars and do ground patrols.”
Events can quickly escalate.
In 2015, for example, an attack on a hotel in Mali killed three workers at a Chinese state firm, leading to calls by Beijing for beefed up security.
Officials revealed then that 350 security incidents had occurred between 2010-2015 involving Chinese firms abroad.
Such concerns do not easily translate into lucrative contracts, however.
In some cases, security companies are called in to deal with an emergency rather than to coordinate a long-term strategy.
“For a lot of companies, they come to us when they’ve (already) got a problem,” said Humphreys of Control Risks.
“They’ve started the project and they can’t move it forward because they have a labor dispute or someone is throwing petrol bombs at their trucks.”
Hao and other Chinese security executives added that most state-owned enterprises were building their overseas security capabilities from a low base.
“A lot of the larger state-owned enterprises have only just started to go out in the last few years. As such, overseas security work remains a blank space for those firms who had not gone out before,” he said.Some Chinese experts said companies operating abroad were beginning to think more about the importance of safety.
“This is something Chinese companies need to study more,” said Lu Guiqing, general manager of private builder Zhongnan Group and former chief economist at China State Construction Engineering Corporation.
“When you ‘go out’ safety is the most important. What’s the point if you end up losing people?”
(Additional reporting by Joseph Campbell in BEIJING and George Ng’ang’a in NAIROBI; Editing by Mike Collett-White)
Next In Global Energy News
Miami electric car dealer sees opportunity in Cuban gas shortage
HAVANA An electric car dealer with a Miami subsidiary is telling Cuba-based diplomats struggling with a gasoline shortage on the Communist-run Caribbean island that they should fret no longer.
GE shares fall on cash, business worries though profit beats
NEW YORK General Electric Co reported quarterly sales and adjusted earnings results that beat analysts estimates on Friday, but its shares fell on concerns about some of its industrial businesses and its cash outflow.
Garry Mumford, Worcester County’s jail warden since 2011, died Saturday, April 22, 2017 county officials said. Ben Penserga video
Garry Mumford, Worcester County jail warden since 2011, died on April 22, 2017.(Photo: Rob Korb image courtesy Worcester County government)
Garry Mumford, Worcester County’s jail warden since 2011, died Saturday, county officials said.
“It is with heavy hearts that we honor the memory of our dear friend and colleague, Worcester County Jail Warden Garry Mumford, who passed away Saturday, April 22, 2017, after a brief illness,” read a news release from Worcester County officials on Sunday. Mumford, 57, had overseen Worcester’s jail since April 2011 after serving 11 years as assistant warden/security and custody officer at the facility. He replaced former Warden Ira F. Buck Shockley, who had retired. Worcester officials said Sunday that Mumford’s leadership played a key role in the Worcester County Jail having been recognized consecutively for the past 14 years with the Recognition of Achievement Award from the Maryland Commission on Correctional Standards for achieving 100 percent compliance with Maryland regulations for the quality of service he and his staff provided.
Warden Mumford led our team for the past six years, Assistant Warden Donna Bounds said. As our leader, he gave his heart and soul to everyone he encountered on a daily basis. Warden Mumford provided strong leadership and was a great teacher, but most of all a great friend. The Worcester County Jail is struggling today with this tremendous loss of our leader and friend.
Mumford, born Nov. 28, 1959, graduated from Salisbury University with a bachelor s degree in social work in 1981, according to the news release. After graduating, he served as a military police investigator, juvenile investigator, and drug investigator in the Army from 1982 to 1987. He joined the Worcester County team in late 1987, as an investigator with the state s attorney s office. During that time, he attended the Eastern Shore Criminal Justice Academy at Wor-Wic Community College, where he earned certification as a law enforcement officer by December 1988. Mumford was especially proud of his staff, county officials said, quickly giving them credit for the high standards to which he held his agency. After receiving the most recent MCCS award, Mumford said of his staff, The county is fortunate to have this wonderful group of employees who care about the quality of services provided at the jail.
In addition to being warden, Mumford was also active in the community. He was a member of the Atlantic General Hospital board of directors and former Worcester County Board of Education member. He is survived by his wife of more than 19 years and retired clerk of court employee, Faith.
Last night Worcester County lost Warden Garry Mumford, Commission President Jim Bunting said. Garry was a dedicated and highly respected leader in our community. On a personal level, we have been friends since we were young boys. I will miss Garry. God bless him and his family.
Read or Share this story: http://www.delmarvanow.com/story/news/local/maryland/2017/04/23/worcester-warden-garry-mumford/100819170/
- ^ Firefighter’s service, enthusiasm recalled after fatal crash (www.delmarvanow.com)
- ^ Worcester’s 1st fire marshal, Edward Cropper, dies at 82 (www.delmarvanow.com)