Foreword

rganizations can respond to the security challenge posed by ever expanding threat scenarios only through preparedness. They have to implement appropriate technical and process safeguards along with physical, legal, and personnel security measures for securing their businesses. DSCI Security Framework - DSF - details the best practices using an innovative approach that brings dynamism into security. It is a new risk based approach to security, that is data-centric; driven by security principles of information visibility, coverage & accuracy; they help an organization evaluate itself through self-assessment on the maturity criteria proposed in DSF. Strategic and implementation guidelines in DSF can enable choosing of appropriate controls to help migrate in maturity from low to high levels. Even though DSF does not focus on certification, the need for certification or rating does not go away. Managements are keen to understand the security posture of their organizations; they want to know what improvements can be made, and how to evaluate them. Clearly, maturity is one indicator that would give them some direction. But it is obvious that we have to look at some form of assessment process to assess the security posture, without getting into the trap of checklists and a basket of controls to choose from, in order to satisfy an auditor. How do we not let this assessment become a mechanical process? At DSCI we have debated this internally. We reviewed our security surveys that were based on detailed questionnaires. We analyzed the responses of companies to our rather elaborate questionnaires that we had designed for the DSCI Excellence Awards. It was interesting to observe the emerging pattern, which provided clues to light-weight assessment. The assessment process would lend itself to self-assessment by organizations; with additional confirmation by a third party using a little more inputs. This can act as a quick guide to confirm the security posture. Practices in each of the 16 disciplines of DSF have been articulated in the framework document. The detailed assessment process has been developed for some of the areas that comprise the DSF. In this we have benefitted from consultations with industry the companies that came forward to test the framework in the pilot projects; the consulting firms that have partnered with us. The guiding principle has been to add value to the organization through the assessment by way of reviewing the strategy, processes, implementation including technology solutions deployed through rating arrived for each of the identified criteria. It may look a bit difficult to begin with, but Im sure the value generated by this assessment approach will speak for itself. I want to reiterate that DSF does not promote organization wide certification. DSCI Assessment Framework - DAF - is in your hands. As always, I encourage you to review it critically and give us your constructive suggestions to make it more useful to organizations. Dr. Kamlesh Bajaj CEO, DSCI

DSCI Assessment Framework

About DSCI Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by NASSCOM as an independent Self-Regulatory Organization (SRO) to promote data protection, develop security and privacy standards and encourage the IT/BPO industry to implement the same.

For more information about DSCI or this DAF, or any feedback, please contact: DATA SECURITY COUNCIL OF INDIA Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, India Phone: +91-11-26155071, Fax: +91-11-26155070 Email: info@dsci.in Website: www.dsci.in

First Print in December 2011 Published by DSCI

Designed & Printed by Swati Comunications +91 11 41659877, +91 9213132174

Copyright 2011 DSCI. All rights reserved.

This assessment framework contains information that is Intellectual Property of DSCI. No part of this report can be reproduced in any form whatsoever. The information contained herein has been obtained from sources, believed to be reliable. However, DSCI expressly disclaims all warranties, express or implied, as to the accuracy, completeness or adequacy of the information. DSCI shall have no liability for errors, omissions or inadequacies in the information contained herein, or for interpretations thereof. DSCI also disclaims responsibility for any loss, injury, liability or damage of any kind resulting from, or arising out of use of this material/information, or part thereof. Views expressed herein are views of DSCI and/or its respective authors and should not be construed as legal advice or legal opinion. Further, the general availability of information or part thereof does not intend to constitute legal advice or to create a Lawyer/ Attorney-Client relationship, in any manner whatsoever.

DSCI Assessment Framework

Contents
Background......................................................................................................5 Need for Assessment Framework...................................................................6 Key Business Drivers for Assessments.......................................................................7 Assessment Challenges..................................................................................................8 Prevalent Assessment Frameworks / Models.........................................................9 Requirements of Assessment Framework what it should cover................11 DSCI Assessment Framework (DAF)............................................................14 Approach for DSCI Assessment Framework.........................................................15 Structure of DSCI Assessment Framework............................................................16 Managing Assessments under DAF.........................................................................17 Light weight Assessment..............................................................................19 Discipline Specific Assessments based on DSF............................................21 SAMPLE ASSESSMENT REPORT.....................................................................25

DSCI Assessment Framework

Background
Businesses today are global, complex and fast evolving, and technology has made business transactions independent of space and time. This has enabled businesses to focus on their core competencies and outsource non-core business operations to Service Providers, who are capable of providing services to the businesses from around the world. Information Security and Privacy become crucial when it comes to outsourcing as technology enables free flow of information across borders between Clients and Service Providers. This information could be business sensitive information and / or sensitive personal information of the Clients end customers, including but not limited to health-related information, financial details, credit card details, social security number, etc. Also, stringent global data protection regulations make the businesses liable for loss, misuse, wrongful disclosure of any personal information of any citizen irrespective of whether the failure is at outsourcers end or Service Providers end. Indian IT/BPO Service Providers are striving hard to ensure that security and privacy of data is well maintained. They follow stringent security controls specified by the Clients through contractual obligations. The Clients conduct regular information security and privacy assessments of the Service Providers to ensure compliance with the contractual obligations and / or regulatory requirements or to assess the security posture of Service Providers. In this outsourcing ecosystem, many Clients have developed and applied their own proprietary assessment frameworks for evaluating their Service Providers. Service Providers, on the other hand, strain their resources to respond to diverse and varied client information requests. Such independent approach proves to be an ineffective and costly affair, both for the Clients and the Service Providers. Inconsistencies arising from the use of different assessment methodologies cause delays, resulting in inefficient use of time and resources. Unavailability of generally accepted standard for Service Provider assessments further aggravates the problem. To overcome these issues and challenges, DSCI as an industry initiative seeks to establish a well-defined Assessment Framework in order to have a universal assessment approach that can be used to assess different organizations.

DSCI Assessment Framework

Need for Assessment Framework

As buyers of Information Technology (IT) and Business Process Outsourcing (BPO) services become sensitive and demanding, organizations are challenged to achieve new levels of efficiency, agility and transparency in service delivery and protection of information. Clients increasingly expect real evidence of robust process management, continuous improvement, effective governance, and measures adopted for ensuring Information Security and Privacy. In order to understand the challenges that are faced by both service providers and client organizations, DSCI carried out a study on the Assessment Framework1 . The results of the study highlighted that the number of Service Provider assessments is directly proportional to the number of Clients or Service Providers that an organization is engaged with. This is proven by the fact that clients working with 500 Service Providers conduct more than 100 Service Provider assessments annually, and those with 200 & 300 Service Providers conduct 10-50 and 50-100 Service Provider assessments respectively. Furthermore, Service Providers engaged with 800 clients undergo 100-200 assessments and those with 700 & 600 clients undergo 50-100 assessments respectively 50-100 assessments respectively. To add to the rising volume of Request to Client Concerns / Requirements Audit, there is a huge amount of effort as well cost, which creates a burden for both service Rising volume of Request to Audit providers and clients organization. According Effort, Cost of conducting audits to a Gartner report2 , most companies spend Lack of standardized assessment more than $100,000 for an in-depth assessment. Quality of third party assessment Many clients have indicated that on an average, Inefficiencies & redundancies at service providers the assessment cost is in the $20,000 to $40,000 range, and if vulnerability or application security assessment is required, then its an additional $10,000 to $40,000 per application. Time and travel costs for a security team to conduct an assessment overseas, such as in India, can exceed $150,000. When asked to estimate work hours spent per year on assessing vendors, service providers and business partners, the responses highlighted that more than 30% spent 3,000 to 15,000 hours per year assuming

1 DSCI Service Provider Assessment Framework, p9: http://www.dsci.in/node/541 2 Gartner Survey Highlights Company Burden of Vetting Third-Party Security Controls Published: 17 October 2008 ID:G00162100

DSCI Assessment Framework

a devoted Full Time Employee (FTE) works 1,880 hours per year. This Most companies spend more translates into two to eight employees devoted to security assessments than $100,000 for an in-depth per year. Fifteen percent of the respondents spent approximately 5,000 assessment, with travel cost & to 10,000 hours a year on assessing the security controls of vendors, time, this goes to $150,000 partners and providers. And a further 20% of the respondents indicated - Gartner that they spent a total of 10,000 to 30,000 hours a year evaluating each of the three groups. That breaks down to 24 to 72 employees a year or, if the hours are actually shared among assessing service providers, vendors and partners, eight to 24 dedicated employees for 20% of the companies surveyed. Another challenge is of the Quality and inefficiency & redundancy of third party assessments. It has been found that many security groups lack a formal process for integrating security and privacy into the vendor management program and are frequently asked to vet the security controls of third parties without any additional budget or support from the sponsoring business owner. This is largely indicative of a systemic problem, where the security group is brought in after the contract is signed with an outsourcer, and especially a business partner. Some of these challenges have forced organizations to look at alternate methods of assessments. DSCI Assessment Framework (DAF) is an effort in that direction and aims to address exactly the issues of multiple assessments yet ensuring that security preparedness of the organizations are taken into cognizance and provide them with the capability of continuously improve their security maturity.

Key Business Drivers for Assessments

DSCI Survey on Assessment Framework highlights that a majority of the Clients considers protecting business sensitive information, and mitigating security & privacy risks, as the critical business drivers for conducting Service Provider assessments. On the other hand, Service Providers report that Clients corporate policy requirements, and achieving end customer confidence are the main reasons which drive their Clients to conduct assessments. Some of the key business drivers from both client and service providers perspective are given below: Client and Service Providers - Business Drivers for Assessments Frameworks
Protecting business sensitive information including intellectual property Mitigating security and privacy risks that exist in outsourcing arrangements To address the security and privacy concerns of some of the key stakeholders within the organization Achieving end customer confidence and preventing loss of reputation by mitigating risks of privacy/ information leakage that may arise at Service Provider end Strengthening of data protection regime in the geographies where organizations operate, stipulating stringent requirements and heavy fines for a data breach Data protection regulations demand organizations to undertake regular assessments of third parties Corporate policies require organizations to undertake a comprehensive vendor risk assessment Addressing security and privacy risks that arise from use of emerging technologies Use Service Provider assessments as a mechanism to foster a culture of compliance at all Service Providers and introducing a sense of competition among them with regards to fulfillment of their data security and data privacy needs

DSCI Assessment Framework

Assessment Challenges
After establishing the needs and key business drivers, DSCI studied the challenges that Service provider and clients regularly face. This was important to ensure that DSCI addresses the challenges that have emerged from Client and Service providers perspective.

Interestingly, it was observed that client see the comfort provided by certifications like ISO 27001 as one of the critical challenge faced by Client organizations in assessing Service Providers on Information Security & Privacy. A majority of Service Providers perceives a high number of assessments around the year as one of the most significant challenges. This difference in the opinion regarding the challenges faced by Client and Service Provider organizations clearly indicates the need to develop a robust assessment solution that meets the requirements of both the parties.

DSCI Assessment Framework

Prevalent Assessment Frameworks / Models

DSCI studied various assessment frameworks for their advantages and disadvantages when applied to Client driven Service Provider assessments. The following criteria were chosen for comparing the assessment frameworks/ models: Assessment Areas/ ease of use by the organization being assessed Assessment Methodology/ scoring pattern Sharing of assessment results Acceptability/ popularity of the framework Independence of examiners Frequency of framework update to cater to future requirements A summary of each framework is provided below:

Malcolm Baldrige National Quality Award Program

The Malcolm Baldrige National Quality Award program uses Malcolm Baldrige Assessment Framework to assess the Quality of applying organization on seven critical areas for an organization. The framework is based on the processes implemented and the results achieved. The assessment methodology requires a selfassessment by the organization applying for the Award which assists in dissolving the disparities between small, medium and large sized companies, and the way the control is implemented at the organization level. The framework has assigned separate weights to each individual area. However, the framework does not provide quantitative requirements for the criteria laid down. The requirements are subjective, because of which the results when examined by different examiners may not be reproducible.

Capability Maturity Model Integration (CMMI)

The framework was developed by Software Engineering Institute (SEI) in an attempt to integrate several disciplines such as Process and Product Development, Acquisition and Supplier Sourcing. The framework is focused towards software development organization, though the framework can be implemented across varied organizations. The framework can be implemented using Staged or Continuous representation. The Staged representation provides the Maturity Level for organizations and the Continuous representation provides Capability Levels as a measure assigned individually against each process area. The framework is flexible and provides opportunities to organizations for undertaking the activities according to their organization specific environment. For assessments the framework undertakes a Process based approach thereby adding value to the organization in the process of being assessed for Maturity.

DSCI Assessment Framework

BITS Shared Assessment Program

The financial services industry increasingly relies on IT Service Providers to support the delivery of financial services. The BITS Shared Assessment Framework was developed by BITS IT Service Providers Working Group to address the concerns arising out of increased regulatory scrutiny of financial institution risk assessment and management of outsourced IT services. The Framework adopts a risk based approach for conducting the assessments. It can be used as a reference to develop a common understanding of the financial services industrys needs among Service Providers, and to help address the known control weaknesses in outsourced IT services, thereby resulting in more consistent and appropriate levels of management by financial services companies that outsource their IT services.

The eSourcing Capability Model for Client Organizations (eSCM-CL)

The eSCM was developed by a consortium led by Carnegie Mellon Universitys Information Technology Service Qualification Center (ITSqc). The eSCM is best practices capability Model with two purposes (1) to give Client organizations guidance that will help them improve their capability across the sourcing lifecycle, and (2) to provide Client organizations with an objective means for evaluating their sourcing capability. The Model aims to assist Client organizations in continuously evolving and improving their capabilities to develop stronger, enduring and more trusting relationships with other Service Providers, while meeting the dynamic demands of business. The eSCM model provides the organizations the flexibility to choose from framework based (using the framework as best practices) or evaluation based (using the framework to undertake a formal assessment). The eSCM for Client organizations is composed of 95 practices covered under three dimensions - Sourcing Life-cycle, Capability Area, and Capability Level.

CRISIL Rating Methodology

CRISIL rates companies in variety of sectors. Since each sector has its own nuances, CRISIL has customized rating criteria and methodology for each sector to make the ratings exercise apt and meaningful. Extensive research is undertaken by CRISIL before assigning rating to an organization. The rating methodology adopts a risk-based approach thereby helping the organization align its activities in-line with the risks that matter.

Moodys Working Paper

Moodys rates companies/covenants in various sectors/industries. It also report on market norms which are dynamic and may vary over time, by sector and by region. Moodys covenant framework focuses on providing point in time assessment, with ongoing monitoring of covenants. Moodys assessment is also based on the risk associated with the covenant.

10

DSCI Assessment Framework

Requirements of Assessment Framework what it should cover

DSCI through its study of prevalent frameworks and based on its discussions with clients and service provider organizations compiled the requirements from an assessment framework. Most of the clients and service provider believed that the assessment program should comprise of framework, processes, and methodology for assessments. It should provide an organization-wide security and privacy maturity rating, and domain-specific maturity rating that may be shared in the ecosystem after taking due permission of the Service Providers. The advantages of prevalent assessment frameworks like adaptability, flexibility, comprehensibility of assessment areas, process-driven, and measurement-based assessment process should be the characteristics of the Service Provider assessment framework that may be developed. The framework should ensure that the: Assessment model should not become an overhead for an organization. It should be able to provide specific improvement opportunities that an organization should be able to imbibe Assessment criteria should be transparent to the extent possible Assessment should be reviewed at least on an annual basis by a competent set of technical and process experts, preferably comprising DSCI members, members from third party assessors, and the industry Assessment framework should be applicable regardless of size of the organization and nature/ complexity of its processes. For this purpose, the assessment methodology adopted should contain a preliminary set of questions that can be self-assessed by an organization. Assessment framework should provide opportunities to organizations for implementing / performing the control activities according to the needs of the organizations specific environment. Framework should follow a process-approach and outline measurable assessment areas. The assessment areas which link to specific business processes in an organization, are easy to align with overall business goals and objectives Framework should provide both assessment area/ domain based maturity rating and organization-wide security and privacy maturity rating that summarizes the appraisal results and permit comparison among organizations Assessment model should be easy to comprehend and companies should be able to adopt on their own All assessment areas should be broken down into a detailed list of specific and measureable steps that are easy to comprehend for assessment purposes

DSCI Assessment Framework

11

Clients and service providers believed that a new framework mapped to prevalent standards should be considered as a potential assessment standard for third party assessments of Service Providers. Since DSCI Security Framework (DSF) is a compilation of best practices and takes cognizance of the various standard and practices, industry trends and is designed to enable an organization to establish a particular function (discipline) within their organization, it is best suited as a reference for DSCI Assessment Framework (DAF).

Information security rating that takes care of People, Process as well as Technology issues will be accepted as a proof of sound security practice. Forrester

The Assessment study recommended that DSCI as an industry initiative and a self-regulatory organization having representation from both the Client and Service Provider organizations should empanel auditing firms for conducting independent third party assessments.

12

DSCI Assessment Framework

DSCI ASSESSMENT FRAMEWORK (DAF)

DSCI Assessment Framework

13

DSCI Assessment Framework (DAF)

Any Assessment Framework needs to be based on the requirement of the industry and hence requires a closer look at the various services or delivery models that IT/BPO industry provides. IT/BPO sector is recognized for its diversity, transformation capability and innovation. It aligns itself with the business verticals for better serving the lines of businesses and service integration. The scale of operations is expanding with multiple clients the industry is serving across the geographies. It offers various lines of services such as business processing, knowledge procession, legal processing, remote infrastructure management and application development and maintenance. The following diagram represents the variations of IT/BPO industry from assessment perspective:

1. 2. 3. 4. 5. 6. 7. 8.

Service Specific BPO, KPO, LPO, SOC, ITO, ADMS, Application Support, Testing Industry Specific Finance (Banking, stocks Exchanges, NBFCs, etc.), Manufacturing, Government, IT (Products, service), Retail, Transport, Telecom, Health, Pharmaceuticals, Food, Entertainment etc. Vertical Specific Administration, HR, IT, Finance, Sales & Marketing, Vendor or Customer management, etc. Compliance Specific HIPAA, GLBA, EUDPA, PIPEDA, etc. Specialisations Payroll & Accounting, application support, call centre, etc. Technology wise Cloud computing, Grid Computing, etc. Mode of Services Remote / onsite Combination of any 2 or more of above - Ex: BPO handling only customer care operations of a banking industry (BPO + call centre + banking) - BPO handling Security services of a Telecom industry ( BPO + SOC + Telecom) DSCI Assessment Framework

14

Approach for DSCI Assessment Framework

The challenges of assessment are immense. However, at a broad level there emerge two scenarios with respect to security preparedness of an organization: (i) To get an overall idea of where an organization stands in terms of the security preparedness. This can better achieved by evaluating the areas such as security strategies, direction, culture, technology competence, compliance, and implementation based on information provided by the service provider. (ii) A detailed insight into performance of the organization in one or more area depending on the specific requirements. For example, if a service provider is offering application development and maintenance service, it would be prudent to assess its practices in application security in details. As the provider is offering this service to multiple clients, the insight into maturity in application security would add critical information on its ability to deliver secure services. DSCI delved in both these scenarios for deriving its approach towards assessment framework. The figure below depicts conceptual framework of DAF. It proposes two assessment methods to address the distinct requirements that come across while commenting on the security preparedness of a service provider.

Salient features of Light Weight Assessment:

(i) A lean methodology to provide a quick overview of security, which can be used to identify, at a high level the comparative standing of an organization in terms of security preparedness (ii) Depends primarily on the information filing from the service providers to a predetermined information request form or questionnaire (iii) Assessors or DSCI empanelled auditor evaluates a service provider based on a methodology derived for the assessment. (iv) Information filed by the service provider is evaluated against the assessment areas and the sub assessment points. Weighted score of the sub assessment points and assessment areas help derive the overall score of an organization

DSCI Assessment Framework

15

(v) The assessment areas, sub-assessment areas and assessment criteria reflect ideas and principles articulated by DSF (vi) This method can be applied equally to both service provider and user organization

Salient Features Discipline Specific Assessment based on DSF

It is a discipline centric assessment, where each discipline presents a strategy and methodology for assessing maturity of a service provider competence in that particular discipline (ii) It deploys different methods of gathering inputs for the assessment such as: information filing, questionnaire response, interview of assessee organization, field visit and technical assessment (iii) Assessment will be performed by the empanelled auditor of DSCI (iv) It evaluates performance of an organization against the relevant and current practices prevalent and evolving in the security market (v) It promises to benchmark strategic initiatives, technical directions, architectural arrangement of solutions, tactical mechanisms, operational strategies and processes (vi) Each discipline is defined with distinct areas of assessment. The maturity metrics defined for each discipline by DSF used to evaluate areas of assessment. The maturity metrics are mapped to the assessment area (vii) In a discipline, maturities of assessment areas are separately derived. The overall maturity of discipline is a function of maturities of assessment areas (viii) The competence, skills and knowledge of the assessor is a critical success factor (ix) Knowledge management is an important aspect of this assessment as it has to ensure relevance and realism in the outcome (x) This method can be applied equally for both service provider and user organization (i)

Structure of DSCI Assessment Framework

DSCI Assessment Framework (DAF) promises a structure for performing assessment of service providers. The success of the framework lies in how effectively it provides transparent and responsive assessment services. The following diagram represents the DSCI Assessment Framework (DAF). The flow diagram here depicts these assessment frameworks. It reflects the overall mechanism of DAF and provides alternatives for an organization to choose from. The company may choose to get itself assessed through an empanelled auditor or through a mechanism of self-assessment depending on its size and specialty.

16

DSCI Assessment Framework

Key Features DAF

(i) (ii) (iii) (iv) (v) (vi) (vii) Effective management of assessment requests for a timely and cost-effectively delivery of outcome Establishing an ecosystem of competent and skilled auditors Relevance, realism and dynamism in assessment through the continuous feed of knowledge Significant focus on the knowledge and skills of the auditors Transparent evaluation of maturity with measurable metrics, assessment criteria and assessment methods Focus on capturing multi-direction inputs for assessment Secure and effective management of result management and sharing

Managing Assessments under DAF

The flow chart provides organization an option to share their assessment results with their client or make it open for public. This creates a mechanism for them to market their competence to various clients who are looking forward to outsourcing their activities to service providers. DAF allows organizations to benchmark their security and privacy practices with their peers and competitors. The maturity rating provided by DSCI allows an organization to continuously improve their standards and practices. The assessment framework carefully takes into account the details of the organizations facts, which allows clients to make prompt and informed decisions on outsourcing its operations to such service providers. Evaluation of the DAF would allow industry to benchmark and create a mechanism in which an organization

DSCI Assessment Framework

17

rating would be directly proportional to minimum service guarantee that it can promise. The same concept has been developed to capture organization competence in specific disciplines. The Assessment framework provides options for a service provider to do a self assessment or can appoint an empanel auditor to carry out an assessment. DSCI will develop process to empanel the auditors by developing training programs and certification models. The maturity ratings that DSCI/DSCI empanelled vendor/auditors provide will be based on the type of assessment that an organization opts for.

18

DSCI Assessment Framework

Light weight Assessment

The light weight assessment primarily focuses on two aspects Organizational Characteristics and Security Characteristics. Organizational behavior becomes critical in determining the culture, response and direction with respect to security. While, security characteristics reflect specifics of security initiatives, approach, structures, strength and governance. The light weight assessment focuses on these two aspects and information filing questionnaire is built to capture details on these.

Organization characteristics provide an overall strategic direction and its culture towards security. The maturity of initiatives and implementations depicts the capability and discipline of an organization in terms of security. The organization characteristics are supported by the factual details that it provides to ascertain the competence and the overall characteristics of its security function. Security Characteristics evaluates the overall approach of an organization towards security, the structure of its security initiatives and programs and how they get reflected or spread in each processes be it in-house or outsourced or client driven. The assessment tries to evaluate the strength of technical and procedural measures that have been adopted to establish security. Overall governance and management of security efforts and the operational competence from skill sets, training and awareness is also focused through this aspect.

Light Weight Assessment Exercise

The following summarizes the process for the light weight assessment (i) The exercise is spread across twelve different assessment areas (ii) Each area of the light weight assessment is assigned with weight to achieve the weighted score 100 (iii) Each area has sub assessment points, and each of them also assigned with weight (iv) The performance of the organization is recorded for each sub assessment point on the weighted scale

DSCI Assessment Framework

19

(v) The score at sub assessment points then computes the score of assessment areas (vi) Total score of the organization is derived from weighted score of the assessment areas The diagram below explains how weight is assigned to sub assessment points, the scoring of an individual assessment point, weights of assessment areas, the respective score of assessment areas and total score of an organization

This method provides a quick but an important insight into the state of an organization in the designated assessment areas. The above representation of a sample evaluation of an organization provides key inputs on its security. (i) The overall performance of the organization stands below the 50 % of the total. The relative scaling of the organization will come from its comparison with others

(ii) While the security strategy of the organization looks good, with all desired strategic components present, significant efforts have been dedicated for ensuring business alignment and a mature process followed for strategy definition, the organization fairs average in terms translating that in a practice with adequate commitment to investment. (iii) The compliance processes need to be revitalized as significant inefficiency observed in it. The efforts on understanding, interpreting and updating compliance knowledge seem inadequate. (iv) A serious lag observed in the threat response capability of the organization. One, there is deficiency in technical architecture that comes from missing an enterprise level solution for addressing threats coming from wireless. (v) The organization spends little efforts and resources for building its assurance capability such as security testing. (vi) Security delivery in services offered by the organization shows reactive approach. It left to more on client attention and requirements than proactive initiatives.

20

DSCI Assessment Framework

Discipline Specific Assessments based on DSF

The scope and reach of security function has been expanding with innovative and extensive uses of IT for business transactions, changing nature of IT infrastructure and ability of threats to impact security posture in different directions and at different layers. This, coupled with new understanding, approaches, trends, technologies and practices, led to the emergence of some areas such as Application Security as an extensive discipline of security. These disciplines require treatment that should match their challenges, requirements and potential. The disciplines are getting characterized with specific approaches, practices, technologies and skills developing under them. An organizations maturities in these disciplines, now, determine its overall maturity. Hence, it becomes important to draw the attention on these disciplines of security. Discipline Centric Approach: DSF presents its approach under 16 disciplines. Each security discipline, as depicted in the diagram, has specific approach advocated for the challenges it faces. Specific trends and practices have emerged to address the specific requirements of a discipline. The security market, of both technology products and services, provides solutions specific to the discipline.

DSCI Assessment Framework

21

For a security discipline such as Application Security (APS), now requires attention from both strategic and implementation perspective. DSF provides help for benchmarking and improving organizations strategy each of the security disciplines. This was supported by detailed implementation guidance. DSF also provides maturity metrics for each discipline. Structure of DSF: DSF presents a specific structure for articulating the content under each discipline. It presents the content in three sections as follows: Strategy building: Each discipline deserves strategic treatment. This section recommends approaches and processes for conducting the strategic review. It helps management to provide strategic direction to organizations security initiatives in a discipline. Implementation guidance: DSCI recognizes a need for providing a detailed guidance for systematically planning and implementing security in the organization. This section, in each discipline, compiles the best practices for the security implementer. Maturity criteria: Each discipline is provided with a set of metrics to measure its maturity. These metrics reflects criteria for measuring the outcome of security initiatives in a discipline. The DSF has defined a total of 170 maturity criteria for the 16 disciplines. DSF, thus, brings distinct advantages in security assessment of an organization, which are summarized below: (i) Focus on the strategic direction, tactical mechanisms for governance and maturity of security operations (ii) Assigns importance to the key aspects of security capability management such as responsiveness to threats and aligning protection to threat (iii) Provides performance metrics that are outcome based and keep their focus on assessing actual delivery of security (iv) Focus on coverage of security program and accuracy of solutions (v) Help in getting insight into how security components, elements and actions are positioned, and how they work in tandem to deliver desired levels (vi) Provides an approach to benchmark the assessee organization against the evolving strategic options in security (vii) Help in evaluating management practices with respect to security such as: Organizational understanding of security Management of IT infrastructure (or simply Infrastructure Management ) Resource allocation for security Operationalization of security capability Efficiency in compliance management Integration and convergence with other organizational function Management of information and knowledge; its integration with security operations Problem and incident management Security services management Policy management and enforcement (viii) Helps assess management of the business ecosystems- partners, service providers and externally provisioned systems

22

DSCI Assessment Framework

Assessment Areas
DSF articulates best practices in a particular manner in each of the disciplines. Apart from presenting a specific approach to manage the affairs in a discipline with DSCI principles, it tries to cover all aspects in that discipline. For example, DSF security discipline Threat and Vulnerability Management (TVM) articulates the practices to cover areas as depicted in the figure. For management of threats and vulnerabilities an organization should pay careful attention to these areas. These areas determine where an organization stands in managing the threats and vulnerabilities. The maturity of TVM can be derived by evaluating and benchmarking the organizations against these areas. For each of the discipline, DAF defines these assessment areas

Maturity Metrics
DSF provides maturity metrics for each of the disciplines. These metrics are used to evaluate the performance of Assessment Areas. In case of the discipline Threat and Vulnerability Management (TVM), the maturity metrics, as shown in the figure, are used to conduct detailed evaluation of an organizations performance. The evaluation of an organization in the TVM is carried out for Assessment Areas against the maturity metrics. This necessitates the mapping of these metrics to the Assessment Areas. The sample report in the next section states how the Assessment Areas are mapped to these metrics. DSF best practices and the knowledge feed provide necessary inputs to an assessor to evaluate the maturity level of an Assessment Area. For success of this type of assessment the knowledge and comprehension of the relationship between the assessment areas and maturity metrics is an important factor.

Information Gathering and Assessment Method

The rising complexity of the management of security affairs puts critical challenges to the security assessment. On the other hand, security threats and compliance requirements demand responsive, realistic, transparent and demonstrable performance from security programs. As the assessment areas become more

DSCI Assessment Framework

23

and more granular with their state becoming increasingly important to determine the security posture, a multipronged approach is required for information gathering and assessing the area under evaluation. DAF proposes five different means for gathering information and assessing the area as shown in the figure. While some of the techniques such as Information Filing and Questionnaire may not require direct interaction between assessor and assessee, these can be used for self assessment. These techniques bring factual and qualitative inputs. They can be used to make comments on the state of security based on facts and quality of response. Other types such as Interview and Field Visit give more detailed insight into how exactly the security affairs are being managed. They also bring opinion and perspective of assessee to the table to help comprehensive insight/understanding behind the specific steps or set of actions which are being taken by the organization. These techniques also provide significant technical inputs. Moreover, these techniques provide crucial information on operational maturity, style and characteristics of function, ability of an element to integrate with other functions, and overall outcome of many items and element functioning together. Technical Assessment is supposed to provide information technical security posture. It involves a certain set of technical actions to be performed by the assessor. In the discipline specific assessment, DAF proposes to use mix of these techniques depending on the need, requirement and feasibility. However, it proposes recording the technique of information gathering and assessment method. This will help to build trust over the outcome of an assessment. This way, the users accessing the assessment report would be aware of the level of depth and breadth that has been crossed to make a particular observation and comment.

Maturity Rating of Assessment Areas

As discussed earlier, DAF assessment is fundamentally carried at the level of Assessment Area. The outcome of the evaluation of an area is depicted as shown in the figure. It conveys the following three things: (i) Mapping of Maturity Metrics with the Assessment Area (ii) Information Gathering & Assessment Methodologies used (iii) Maturity rating of the Assessment Area in a discipline The Overall Maturity of the discipline is the average function of the individual maturity of the Assessment Areas.

24

DSCI Assessment Framework

SAMPLE ASSESSMENT REPORT

Threat & Vulnerability Management (TVM)

TVM

DSCI Assessment Framework

25

ABC IT Services Ltd.

ABC Threat and Vulnerability Management | Result Summary

26

DSCI Assessment Framework

Organization Organizational Profile

ABC IT Services Ltd ABC is a mid-size IT Services company, with presence in 20 plus countries, offering services in diverse lines of services to 200 plus clients. Although it is still a small part of business, ABC recently forayed in offering business process services including knowledge services. Apart from the IT services, ABC has a strong presence in most of the geographies and serves mostly enterprise clients. IT service business of ABC takes benefit of the contemporary infrastructural arrangements for serving its clients across the globe. With more than 1000 projects under service, infrastructural arrangement with client organizations introduces significant complexity and diversity in IT infrastructure. Businesses, for managing the corporate applications, rely heavily on IT systems and take benefits of all latest trends in infrastructure management and software market. ABC is in the process of deploying standardized IT infrastructure management processes. It is an ISO 27001 certified organization.

IT Infrastructure

TVM Perspective

The IT infrastructure profile of ABC is quite complex, driven by its client requirements and its own corporate requirements (i) Corporate applications deployed over the Internet exposes organizations to cyber threats (ii) Clients of IT services and their requirements have contributed to the diversity of infrastructural deployment (iii) Factors such as serving different geographies and handling different (set of requirements expose the organization to a varied set of compliance requirements (iv) Varied sensitivities of projects that are under service demand a granular approach for management of threats and vulnerabilities (v) IT infrastructure witnesses a mix of legacy of new generation IT systems (vi) Infrastructure reflects trends such as virtualization. The organization offers its employee all contemporary collaboration tools. Some of the services are hosted at third-party provider and some are procured from cloud service providers. Some of the IT services are also sourced from the market (vii) With advent of wireless and mobility, business users demand maximum flexibility leading to increasing adoption of the same DSCI Assessment Framework

27

TVM Facts
Infrastructure IT services line of the business reflects a mix of client and organization hosting. Corporate applications are hosted in the organizations premises and some of them on third party hosting Varied ownership patterns [Client as well as ABC owned] Combination of Shared & Air-gap ITIL implementation for infrastructure management is in progress Production, Development and Test SOE of Servers - either client driven or organizations own standards Varied standards of Endpoints Organizations collaboration platform Employees get access to client collaboration tools also Standard set of control as offered by the organization Client preferred controls in select projects Firewall Enterprise Antivirus/Spyware Intrusion Prevention Content Filtering & Monitoring Email Protection Web Protection Endpoint Protection (FW/IPS, AV) Patch Management VA/PT [Quarterly |In-house] Monitoring [Daily |In-house] Device Management [In-house] Application Security Testing [In-house] Localized Security Monitoring Governance & Compliance Function ISO 27001 Certification

Network

Infrastructure Management

Infrastructure Environment Systems

Endpoints Collaboration

TVM Controls

TVM Solutions

TVM Services

Security Management

28

DSCI Assessment Framework

Informed Management of IT Infrastructure

Maturity of infrastructure management has a serious implication on the capability of an organization to have a responsive threat and vulnerability management function. An organizations ability to respond dynamically to threats and vulnerabilities depends on how well it manages its infrastructure. The following comments compile the infrastructure management practices of ABC from the perspective of threat and vulnerability management. (1) The infrastructure management practice of the organization reflects a reactive and conventional approach. This leads to inadequate organizational understanding on the state of security of critical IT assets The central visibility of IT infrastructure distribution is lacking The security function has to struggle to compile information on IT assets Client driven deployment of infrastructure contributes to the unawareness of the security function about critical information Many legacy systems and customized solutions deployed at some departments are not covered under the central oversight (2) Although the organization has a fair idea of dependency of its critical businesses on the infrastructure components, a structured compilation of information with respect to business dependency is lacking. Because of this, some of the critical linkage between business and IT gets hidden from organizational understanding (3) Lack of business requirements mapping to IT assets, respective configuration changes and demand for specific expectations lead to misalignment of business goals for TVM and actual practice. This also leaves gaps in estimation of business loss that may be caused by exploitation of a vulnerability (4) Recently, there have been attempts for standardizing and harmonizing IT infrastructure. The current infrastructure characteristics reflect significant diversity, which are evident with following examples. This seriously impacts prospect of improving maturity of threat and vulnerability management Business dominance in the procurement process results in significant diversity. This is expected to change as a central demand management process is being implemented Server systems represent many manufacturing brands and operating environment Corporate applications work on different platforms, with indigenous choices of front end, middleware and databases The versions of operating environment, middleware and databases being maintained are not current versions. The application dependencies does not allow the organization to upgrade the versions IT environments, especially development and test, reflect maximum diversity Significant diversity observed in the networking equipments, their deployments and configurations DSCI Assessment Framework

29

(5) (6)

(7)

(8)

Endpoints represent minimum diversity. However, with the advent of mobility, this situation is changing gradually Client service delivery requirements contribute maximum to diversity in both server and endpoint systems Security infrastructure also reflects diversity in terms of different brands, variations and diverse choice for solution selection The organization has not yet adopted an enterprise wide refreshment cycle for infrastructure. This results in the presence of many legacy systems The organization is in the process of implementing ITIL, which would change the way infrastructure will be managed). At this point, the threat and vulnerability management cannot leverage the benefits from the maturity infrastructure management process As the infrastructure management process such as service management, configuration and change management and problem management, are not mature enough, it seems difficult to ensure effective and responsive threat management There isnt any mechanism to help the organization create desired level of visibility over its infrastructure. This impacts the capability of TVM function to create a high level insight into the state of infrastructure and understand detail state and comparative analysis of organizations units.

TVM Preparedness
The corporate application, on the one hand, and the client requirements, on the other hand, drives the TVM preparedness of ABC. The following observations state the level of its preparedness. 1. Scope and coverage of the TVM The coverage of the TVM program is reflected by the following observations: (i) T V M p ro gra m ex te n d s i t cove r a g e to vulnerabilities emanating from network, endpoints, emails, messaging and web (ii) Although the TVM program covers enterprise infrastructure, some of the departments and legacy network is out of the preview of the enterprise program. The policies and preparedness in these departments and the legacy networks are localized (iii) In some of the client projects, controls and responsibilities with respect to Threat and Vulnerability Management is owned by client organizations. In the cases where ABC is involved in the operations, it has to comply with responsibilities as assigned by the client (iv) There is no significant initiative to cover the systems and services offered by external service providers under the enterprise TVM program (v) The IT environments, except the production environment, are not properly and

30

DSCI Assessment Framework

consistently covered by the TVM program. In production environment also, some of the systems where application compatibility is an issue, the TVM program application is not consistent (vi) For mobility, the TVM program relies on in-built security capability of mobile devices 2. Architectural Direction TVM preparedness of the organization falls short of addressing some of the important concerns. The examples of the deficiency in the architectural directions are: (i) Wireless Security Absence of a competent solution for threats emanating from wireless devices. Increase in adoption of wireless computing seemed evident For wireless security, the focus seems primarily on the protocol encryption than a proactive enterprise level approach that advocates a managed solution for monitoring and preventing wireless devices (ii) Mobile Security The organization is responding to mobile trend by allowing employees use of mobiles. Secondly, a significant number of employees is provisioned with laptops which are connected through home and public networks. The existing TVM architecture is not equipped to address threats originating from the mobility (iii) Virtualization Although virtualization is increasingly being adopted for production as well as development environments, there isnt a mechanism for managing vulnerability of virtual infrastructure (iv) Application Security Application Development and Maintenance is an important line of service contributing significant share to ABC. For application security, it relies on incidental testing of applications primarily done by the quality resources with freeware tools. The same has been followed for its own corporate and business applications There is no plan to deploy or have an arrangement for an enterprise level application vulnerability testing mechanism (v) Response Mechanism The current TVM architecture doesnt provide contemporary threat response capability. The review of the logs of the solutions is left to manual efforts. The reports generated from the solutions are analyzed manually to identify a discrepancy or incidents. The response and remediation process is rudimentary and relies on manual interventions 3. Characteristics of TVM Architecture The following summarizes the characteristics of current TVM architectural arrangement: (i) Gaps in architectural choices A proactive defense against security threats demands a focus on configuration management, and vulnerability detection and remediation. However, these pieces are missing in the TVM preparedness of the organization DSCI Assessment Framework

31

(ii) TVM solution competence: Although the organization has deployed a set of solutions for managing threats and vulnerability in its infrastructure, the competence level of the solutions doesnt seem to match the relevant security market trends (this should be sub-bullet) The Firewall and Intrusion Prevention System are old generation devices. They dont provide capabilities such as real-time detection and prevention, active blocking of connections, deep inspection of traffic, and content & context awareness decision making. These competences are recognized for their ability to deal with new age threats Endpoint protection solutions are still preferred signature-based defense. The competence in terms of real-time techniques for detection of new and targeted threats is missing. Secondly, location based policy enforcement piece is missing, which could add protection a level for wireless access and remote connectivity (iii) Device management: The solutions deployed for threat and vulnerability management either lag in providing centralized management capability or their architectural deployment doesnt reflect that Policy creation, amendment and their deployment is performed locally. The policy configuration and implementation tasks are straight forward or easy. There is a fair bit of complexity in managing them The current arrangement doesnt provide effective centralized visibility into the critical events, requiring human intervention in filtering them from trivial and low-level events. The immediate drill down of important issues is cumbersome consuming significant time Policy and alert management still remains a pull mechanism where the security administrator visits the device management console as per his/her convenience. Even though the some of the solutions have a capability to integrate the alerts with the SMS and email system, the same is not deployed yet

Patch Management
Patch management is an important element of the threat and vulnerability program. ABC has undertaken it as a part of infrastructure management with a specific focus from security perspective. Patch management becomes an agenda of IT operations primarily because of compliance obligation, client requirements and business security requirements. The following statements reflect the state of ABCs patch management initiative. (1) The organization deployed a centralized patch management system, primarily for Windows based infrastructure. (2) Some departments and the legacy systems are beyond the coverage of central management. They follow localized practices of patching are followed (3) The server infrastructure is diverse in nature characterized by different OEMs, operating platforms,

32

DSCI Assessment Framework

(4) (5) (6)

(7) (8) (9) (10)

(11)

and configurations. Application reliance on particular type configuration set makes the patch management all the more difficult. These are the reasons cited for not extending the scope of central patch management to a significant number of server systems A varied level of maturity of patch management of infrastructure components is observed. It is more mature for Windows endpoints, while less in case of databases and applications Although there is an increasing deployment of virtual infrastructure, the question of the patch management of virtual environments is not yet solved The trigger for initiating patching of the systems, which are not covered by the automated patching mechanism, is the vulnerability assessment performed quarterly. This may lead to significant lag in the closure of a vulnerability or exposure The organization is on its way to implement ITIL process. At present, it doesnt provide integrated, automated and measured remediation for patching of the critical systems The configuration management is still a manual process, and it works in silos with the patch management Some of the networking devices, a couple of routers and a switch in the central network, were found working on the vulnerable IOS version An application hosted on third party service providers is running on the insecure platforms. It was also found that the application works on a vulnerable version of a CMS version. The design flaw has led to a situation that application is not independent of CMS version, forcing it to run on the vulnerable version Matrices for the patch management are not properly defined, and reporting is not established for the same. This leaves information on patch compliance invisible to the management leading to organizational ignorance about its exposure

Assessing Threat Profile

An organizations effort for keeping itself aware of threats, to which it is getting exposed, is a critical aspect of Threat and Vulnerability Management function. The following observations reflect the state of threat assessment activities being practiced by ABC: (1) The organization doesnt seem to have a proper mechanism to manage intelligence information on security threats. The vigilant approach and efforts for compiling information about threats, threat sources, vulnerabilities and risks is missing (2) The external collaboration for threat management is limited to the automated updates received by the security devices. It doesnt seem to support the organizational agenda to subscribe to threat information sources like vulnerability and exploit database, threats information and risk reports and integrate them with the TVM program (3) The organization primarily relies on quarterly security testing for its knowledge on threat exposures and reports from the TVM tools. The frequent audits that are conducted for compliance

DSCI Assessment Framework

33

(4)

(5) (6) (7)

(8)

(9)

(10)

(11)

to certification, regulation and client requirements help provide understanding on threat exposure to an extent The scope of the application security is limited to a set of security test cases and is run by the quality team. An integrated strategy for vulnerability management is not yet deployed. This may lead to a situation where the application level vulnerabilities are left unresolved for a significant duration of time The lean forward techniques for threat profile assessment such as threat modeling, threat tree and continuous vulnerability management are not yet adopted by the organization The activities and results of security test and audits are managed by IT security team, with oversight responsibility residing with CISO. Due to lack of reporting and inadequate information flow from security and other departments, the management is not getting visibility on the state of security. This leaves gaps in the governance and may lead to a situation where a serious exposure doesnt get the required organizational attention A structured management of services with respect to threat and vulnerability management, although internally managed, is missing. The approach to scheduling, responsibility and execution seems reactive The record of security tests, exposures to vulnerabilities and threat exposures, and associated activities is not properly maintained. It remains a difficult task to trace a vulnerability or threat exposure to its background, behavior of systems under an exploitation and remedial action Involvement of teams such as application development, production support and infrastructure management in the test executions is limited, leading to significant isolation of the actions related to threat and vulnerability activities Ability of the organization to test relevance of a specific vulnerability or threat exposure is seriously lagging

Security Baseline Management

Security baseline reflects the accepted technical security posture of infrastructure. The security baseline represents current competence of the infrastructure and its configuration to withstand the security threats. The following observations reflect how ABC manages its security baseline: (1) A clear process for capturing the security baseline expectations is lagging. A mechanism that ensures and measures the desired level of the baseline across the organization is missing (2) The information with respect to the competence of infrastructure, capability of the security solutions and its variations across the organization is not compiled, maintained and updated regularly (3) Lack of central guidelines for security configuration combined with diversity of infrastructure and localized management of patches lead to a varied level of security strength of the organizations infrastructure

34

DSCI Assessment Framework

(4) Standard Operating Environments, recommended by the organization and its variation in the client projects, resulted in deployment of applications on vulnerable versions (5) There is no consolidated historic record of the changes in security baseline level. (6) Enterprise security function has a little idea of security baseline of client owned infrastructure and externally provisioned applications procured by a cloud provider

Technical Policy Management

Technical security policy is an organizations strategy to mange security at the system level. Technology policy is a means to translate the security and compliance requirements into operational technical strategy of an organization. The following observations reflect the state of the technical security policy of ABC: (1) ABC, being a ISO 27001 certified company, has enterprise level security policy to which the business units have to conform. However, managing the infrastructure through technical security policy initiative is missing (2) There isnt granular level mapping of compliance requirements, which can be helpful in deriving goals of technical security policy (3) The policy management of the security devices is driven by business requirements. However, business justifications of configuration items are not recorded properly The ongoing ITIL implementation will implement the change management process. However, the plan for implementation of the change management process doesnt mention incorporating security configuration management (4) Policy management of security devices is largely localized as central management of the devices is absent (5) Although there are instances of some best practices being followed for infrastructure configuration and hardening, and yet, the enterprise level standards and guidelines for the same are missing (6) Policy management capabilities of security devices are not explored to its fullest potential even though the business need necessitates a granular level of policy configuration. This leaves the overall policy configuration at a generic level. This may lead to serious vulnerable situations

Integrated Management of TVM

Effectiveness of management of the threats and vulnerabilities is critically dependent on the ability of an organization to invoke a swift response to an identified threat and vulnerability. This requires integrated management of TVM activities. The following observations reflect how the TVM activities are managed in the organization: (1) The deployment of solutions for TVM to larger extent remains isolated as the strategy for integrating these solutions is missing (2) The solutions such as Antivirus, Firewall, Content Monitoring & Filtering and Email protections

DSCI Assessment Framework

35

(3)

(4)

(5)

(6)

(7)

(8)

(9)

(10)

work require indigenous effort for managing their policies, extracting performance reports and taking corrective actions External security intelligence is advocated as a crucial element of threat and vulnerability management. However, the organization doesnt seem to have any initiative in this regard currently Threat and vulnerability management is not adequately integrated in life-cycle development processes. The application development is a representative example of this as application development and deployment doesnt incorporate threat and vulnerability assessment A mechanism to collect and correlate information generated by security solutions and IT assets for identifying a security pattern is lacking and left to human efforts. Human efforts are not sufficient to process the scale of information that may require indentifying an incident. This introduces a serious lag in detecting a threat event. Some of the threat events may remain unnoticed in this process The manual dependency of TVM tasks require a high level of coordination between IT security, IT Infrastructure, Application Development and Maintenance. However, serious gaps were observed in the communication between these functions in a response initiation process Although the solutions have capabilities to integrate with the solutions such as the user provisioning and access management, this integration seems not to have been implemented. This limits the organizations capability of enforcing user centric policies and providing a granular level understanding over the state of security The organizations change management process is not yet fully matured and is not implemented to its full potential for infrastructure management. The security configuration and change management will take significant time to integrate with that The service management process in under the process of implementation. A ticketing system is planned to be implemented. However, how this system will work for TVM response capability is still not explored The threat and vulnerability management tasks are not performed as a structured Security Operation Center. The organizational capability for effective TVM function seriously lacks due to absence of a formal Security Monitoring and Incident Management mechanism. This seriously impacts dynamism in the capability of the organization to respond to the ever emerging security threats

Management of Compliance Requirements

Increasing compliance regulations demand an effective, transparent and responsive governance of activities related to threat and vulnerability management of IT assets that are executing business transaction. The following comments represent how compliance requirements with respect to threat and vulnerability management are being handled by the organization (1) The central hold on the compliance management activities is missing. This is evident by the following examples

36

DSCI Assessment Framework

(2)

(3)

(4)

(5)

In one of the corporate business services, the organization processes significant number of credit cards. However, there is no structured and complete understanding on what underlying IT systems are involved in processing of credit cards. This understanding would be crucial for credit card related compliance requirements Some of the client projects expose the organization to compliance regulations such as HIPAA/HITECH, UK DPA, EU DPD, etc. However, there isnt adequate visibility on how these regulatory requirements are handled at the projects and what systems are involved The record of system configuration elements associated with the compliance requirements is not maintained properly The compliance centric audits are managed at the local level, i.e. at a project or geographical unit level. The information on the performance against the compliance is not passed to central security function The effort for delivering compliance information to the respective organizational unit or client project is inadequate. The central security function seems to struggle for creating sensitivity about the compliance requirements and liability at a field unit and project level The compliance driven threat and vulnerability management activities lack in proactive planning, vigilant gathering and storage of demonstration artifacts, and capability of tracking issues for their closure

TVM Roles and Responsibilities

As Threat and Vulnerability Management function provides capability to an organization for protecting against the threats, the resource allocation for it becomes a critical factor for its success. The following observations reflect how the roles and responsibilities for TVM are arranged in the organization: (1) As already highlighted, the operational responsibility for the threat and vulnerability management resides with the IT security team. It has been also observed that the TVM capability suffers from the lack of architectural treatment. It was observed that the responsibility with respect to overall positioning of the solutions, defining competent architecture for TVM and providing tactical direction for integrated management is not yet outlined (2) With extensive manual dependency for solution management, the TVM expertise is distributed. The tasks are performed in silos. Since they are not defined). The skills reside at person level. This may make it difficult for the organization for devising shared service approach for the TVM (3) Since the integrated approach is missing, the resource deployment doesnt yield effective results in the management of threats and vulnerabilities DSCI Assessment Framework

37

(4) The role of the IT infrastructure team is not clearly spelt in regard to operational security management. The division of their responsibility with IT security team is not well defined (5) The coordination for detective, protective and responsive activities for threat and vulnerability management is manual

Threat and Vulnerability Management of IT Ecosystem

IT ecosystem of current days is characterized by the presence of many external systems connected with organizations network. Additionally, connectivity is extended to the employees of the third-party service provider. The following observations summarize how the organization manages the threats and vulnerabilities emanated from the external parties: (1) The organization engages select external service providers for processing some of its business processes. Recently, the process of engagement with third parties has been changed to include security provisions in the contract (2) At the tactical level, there isnt a comprehensive program found that take care of security of third-party service providers (3) In certain cases third-parties are audited. The reports on technical security posture are never sought from them (4) The organization doesnt have a clarity on the level of threats that can emanate from the third-parties, and what is the possibility of compromising the security baseline of the organization due to third-parties (5) The organization doesnt follow a practice of evaluating the threat profile of third-party service provides and categorizing the parties based on business sensitivity and system criticality. Hence, there is a lack of clarity on prioritizing actions at the third-party service providers end (6) Apart from certain services deactivated from the firewall for some of the external providers, there seems to be no other initiatives taken, that can be attributed to TVM

Performance of TVM function

Performance of the TVM function is a crucial factor of an organizations security capability. The organizations heavily relying on the IT systems should establish a performance management for TVM program. As threat landscape to which the organizations are exposed change dynamically, the performance of TVM program becomes all the more important to keep the security posture update and ensure a swift organizational response to threat events. The following observations state how performance of the TVM function is managed: (1) It has been observed that a fair level of reporting is established for Threat and Vulnerability Management. Some of the performance parameters that are being reported are:

38

DSCI Assessment Framework

(2)

(3)

(4)

(5)

Systems with unapplied patches Number of machines out of the fold of enterprise antivirus Number machines with outdated signature, disabled services and presence of unauthorized AV solution Security threats exposures Top ten traffic destination outward, category wise traffic analysis Traffic dropped, top ten sources Number of URLs blocked, user traffic blocked TVM performance management suffers from the deficit of overall focus on the ability of the organization to generate a timely response to threats and vulnerabilities. The performance reporting parameters are primarily based on the reporting capability of the solutions deployed Overarching processes such as remediation of vulnerability from the time of its detection, applying a patch to the vulnerable system and identifying threat patterns from multiple information sources are left with undefined performance goals. This introduces serious gaps in the overall performance of TVM Infrastructure characteristics and management practices are also not benchmarked for improving their capability from TVM perspective. For example, the diversity of IT infrastructure is not reported in management reporting, leaving it vulnerable The performance reporting of TVM doesnt reflect the enterprise wide initiatives, as it remains a domain of the security team. The information with respect to performance of TVM is not flowing to other support groups, business functions and higher management. This leads to lack of organizational attention and commitment to the security

DSCI Assessment Framework

39