Data managers, auditors, and stakeholders in the security of sensitive data want to be sure that no one inside or outside of the organization could gain unauthorized access to the most sensitive information, including credit card numbers, Social Security numbers, intellectual property, or patient health information. If sensitive data is not adequately secured, an organization could be found out of compliance with a number of laws and regulations, potentially resulting in millions of dollars in fines and lawsuits. For example, in 2008 the Identity Theft Resource Center (ITRC) reported 656 breaches from banking, credit, financial, educational, governmental, military, and health-care institutes, putting nearly 36 million records at risk.
To secure this data, an organization needs to understand what the data is, where it is communicated to/from, where it is stored, what business objectives are at risk, and who can access it. The InfoSec Layer Methodology provides a layman's approach to the fairly complicated communication process used by systems and corrects it by providing a way for risk managers and auditors to communicate with technical developers/administrators — two groups that speak in different languages. For example, the business-level stakeholders often don't understand the technical protocols being used and the risks they pose, whereas the technical administrators or developers often don't understand the business objectives they are working to mitigate risks around. In a nutshell, the InfoSec Layer Methodology helps the stakeholder follow the data and reasonably assure its security in accordance with management's expectations.
What is Information Security?
As defined in the U.S. Code, the codification of general and permanent laws of the United States, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:
- Integrity – Guarding against inappropriate information modification or destruction, and includes ensuring information non-repudiation and authenticity.
- Confidentiality – Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
- Availability – Ensuring timely and reliable access to and use of information.
Use of information security assertions — integrity, confidentiality, and availability — allows business-level and security professionals to speak a common language. To fully understand these assertions and make appropriate business decisions, they need to be coupled with an understanding of what the data is, where it is communicated to/from, where it is stored, and who can access it — which is the purpose of defining data in framework layers.
The term layers in reference to information security comes from common data communication models similar to the Transmission Control Protocol/Internet Protocol (TCP/IP) Suite or the Open Systems Interconnection (OSI) Model. These frameworks provide guidance on how systems communicate and how data generally flows between systems. These concepts provide that data communications and computer network protocols are designed to work in a layered fashion passing the information from one layer to the next, encapsulating as it goes.
Unfortunately for risk management and auditing, it's not always practical or easy for nontechnical stakeholders to understand the use of all the layers in the OSI or TCP/IP models because some of the layers can be combined into more general groupings. Specifically, the groupings the InfoSec Layer Methodology focuses on are the application, infrastructure, data in transit, and physical layers. "The Four Layers" below, illustrates differences in the layers using payroll information, keeping in mind at what points the data could be intercepted or accessed:
- Application – Access to end-user applications are restricted to business need-to-know.
- Infrastructure – Access to infrastructure components are restricted to business need-to-know. An example of this layer could be servers.
- Data in Transit – Data is secured while in transit.
- Physical – Physical access to system, servers, PCs, data centers, etc. holding sensitive information are restricted to business need-to-know.
The Four Layers
The InfoSec Layer Methodology is a combination of the two concepts: information security and comprehension of the organization's data with respect to layers. If sensitive data has not undergone scrutiny during system implementation or is not continually reviewed for appropriate controls through IT audit or risk management, an organization could be at risk of a breach similar to those reported by the ITRC (see "The InfoSec Layer Methodology Illustrated" below for a high-level graphical representation).
The InfoSec Layer Methodology Illustrated
If IT auditing or risk management functions have performed a comprehensive review to follow the data and understand where it is stored and how and where it is being communicated, they then need to determine:
- Why they care (management assertions such as confidentiality, integrity, availability, or even financial statement assertions such as valuation/measurement or completeness).
- What the inherent risks are (vulnerabilities to the existing protocols or technologies).
- If the information is controlled.
- What the residual risks are, and if management can accept those risks.
- If additional mitigation is needed.
The next step is to perform a detailed risk assessment and to determine if detailed tests of controls or substantive testing is required to substantiate risk mitigation. "Example Risk Assessment Using the Layer Methodology" below, shows an example of what a risk assessment might look like in The InfoSec Layer Methodology.
Example Risk Assessment Using the Layer Methodology
If the controls in place are not reliable and do not provide adequate mitigation, if testing the internal controls is less efficient, or if the data is so sensitive you need to know if there are any exposures, substantive testing may be necessary. When completing the risk assessment it is important to remember what management's objectives/assertions over the data are. It is also important to consider all pertinent layers of where data exists and utilize open-source information/risks (e.g., IEEE) to help in understanding potential vulnerabilities that may apply to the environment you are reviewing. Moreover, keep it simple. Otherwise, you could risk reverting back to the problem of management and technical administrators not understanding each other and their objectives.
The InfoSec Layer Methodology integrates well with already existing frameworks, such as The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework (see illustration below) or the Control Objectives for Information and related Technology (COBIT) cube, and it can also be enhanced to consider additional layers, such as compliance and regulatory objectives, people, processes, and technology, as shown in "The Flower of Power" illustration below.
InfoSec Layer Methodology Integrated With COSO Framework
Flower of Power
Speaking the Same Language
When standard methodologies are followed they may lack comprehensiveness either in understanding all the layers, coverage of the applicable management objectives, or considering major security vulnerabilities. The InfoSec Layer Methodology bridges the communication gap between InfoSec professionals and risk managers so they can work together to correct common security flaws. To adequately secure the data, the flow needs to be mapped showing where the data is stored and the communication paths used (follow the data). If the InfoSec Layer Methodology is followed and due diligence is applied, management should have the right information to make informed decisions to mitigate or accept the risks over that data.