From Data Breach to Information Stewardship

Information is the currency of the 21st Century.  People likely would not treat money with the same disregard that they treat information and data. Taking care to look after property that is not your own is called stewardship.
    
Information stewardship is not a new term; it has been in use since the 90s and covers the wide range of challenges involved in managing information as a key organisational asset. These include the management of the whole information lifecycle from ownership to deletion, as well as aspects such as business value, data architecture, information quality, compliance and security. However the focus has previously been on areas other than security.
    
Information leaks and losses occur in many ways, ranging from misuse, mishandling and theft of data by insiders to external attacks on systems and people as well as system failures and accidents. Recently, there has been an increase in the frequency of coordinated attacks on organisations with the objective of stealing information. However, many data breaches stem from mishandling of data or from well-known technical issues for which there are easy remedies.

Basic security measures need careful attention
The processing of data in datacenters, outsourcers or the cloud has several risk points. From the 2013 Verizon report, the second largest percentage of data breaches were from servers. This was down from last year but still indicates that basic technical security measures, such as configuration and patch management, still need careful attention. The staff in the data centre may have privileged access to systems for administrative purposes.  Automated services may also have elevated privileges (backup systems, for example). This privilege may be abused or subverted and data may be stolen or misused.  Media need careful handling - there are a number of reported cases of data being found on storage devices that had been disposed of but were later acquired through auction sites. Backup media may be lost in transit.

Mobile risks
Portable devices, such as laptops, tablets, smart phones and USB media, are a significant risk. For the first time, according to the Verizon report, the end user-device was the one most likely to have been compromised during 2012. These devices may contain sensitive data and are frequently lost or mislaid by their owners. Data may be misused by insiders by copying to these kinds of devices (often against corporate governance rules). This copying may not be malicious but rather a misplaced attempt to improve efficiency. Data may be printed out and then the printout may be lost or disposed of without due care. Sensitive or regulated data may be emailed outside of the organisation or to people who ought not to have access.
    
As is often the case, the weakest link may be the people in the organisation. Information can be given out inadvertently or deliberately using the phone, fax or postal mail. Only recently, a list of missed UK government targets came to light when an advisor was photographed carrying a document in Downing Street. Documents can be lost inside or outside of the organisation’s premises. Ill-judged conversations in public can be overheard or people can pass information on to increase their social standing. The Information Commissioner’s Office (ICO) provides a large number of examples where personal information has been mishandled.
    
Information stewardship uses good governance techniques to implement information-centric security. Information stewardship involves the business as well as the IT services group.  Line-of-business managers, application owners and everyone who touches information are involved, as well as the IT service providers. It creates a culture where the people in the organisation understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organisation is resilient to loss of data by protecting information against that eventuality. And, when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users.
    
The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

Implementing information governance comprises three major phases. The initial phase is to understand the business needs and obtain approval for a plan of action. A key objective of this initial phase is to get executive sponsorship. This sponsorship is critical to the success of information governance projects. The second phase is to define the changes needed by the organisation and culture, and leads to a clear assessment of the information risks. The third phase is to implement best practice, secure the infrastructure, monitor the controls and implement continuous improvement.

Understanding what is at risk
In the classical model, information and data have a business owner who classifies its value to the organisation and the impact of threats. The data is then created by and used by business processes; and it is eventually deleted according to policies, when no longer required to be retained. However, information is increasingly created in an unstructured form (like emails, documents, spread sheets and presentations) almost everywhere in the organisation. This explosion in unstructured information changes the balance. Now, anyone who writes an email or creates a document is responsible for recognising the sensitivity and value of the information it contains.  Hence everyone in the organisation needs to understand and accept this new responsibility.
    
Big Data also introduces new challenges to information stewardship. Big Data involves absorbing and analysing large amounts of data that may have originated outside of the organisation that is using it. If you don’t control the data collection process, how can you be sure of the data source and integrity?  How do you know you have the right to use the data in the way that is being planned?  These points are brought out very clearly in a UK report on the use of smart metering of power consumption by utility companies.
    
Human behaviour is one of the key factors to achieving information stewardship. Many factors drive the way people behave and it is a challenge for management to ensure that these are taken into account. Within all organisations, the people have attitudes toward the security of information. The task is to align these attitudes with the needs of the business and how different kinds of information need to be handled.  
    
The Business Model for Information Security (BMIS), a model released by ISACA, urges enterprises to adopt an intentional culture of security. Principles from BMIS are now incorporated into COBIT 5, and a new publication, COBIT 5 for Information Security. 


A guide from ISACA, titled Creating a Culture of Security, explains how enterprises can put one in place. According to this guide, management needs to show leadership; however, creating a culture is not simply a serial process; it requires intentional shaping and direction in a number of dimensions: Changing the perception of security - Security is often seen as a negative thing; something that prevents actions without there being a clear understanding of the risk or the benefits. 

What is needed is a positive image for security as an enabler. One of the key activities in changing perception is through an internal marketing campaign to rebrand information security in a positive way; Creating information stewardship ‘champions’ - people within the organisation who are respected by the people in the organisation because of their role or their track record are needed to champion information stewardship; Education, Teaching and Mentoring - the value of information should be clearly communicated. This should be supported by clear information security guidance (e.g., policies) and training on how to apply them, and; Rewards and sanctions - Everyone should be able to see that information security is practiced in daily operations. There is visible management support for information security and there are clear sanctions against people who deliberately flout the rules.

Credibility Problems
IT organisations have not been well connected to the business and this has led to problems of credibility and to lines of business bypassing the disciplines involved in securely delivering IT services. Many IT organisations are structured as siloes, each focusing on a different technical area or topics that are not well aligned with what the business and security needs are. Information stewardship involves the whole organisation—not just the new business-oriented IT department. These roles and responsibilities overlap between IT and business. They necessarily involve IT services because that is where the data is held and processed.  They involve the business because that is where the information is owned, created and used. The key new role is one responsible for creating and maintaining the information stewardship culture. Everyone who touches information and data has a responsibility for its stewardship.
    
It is important to assign responsibility for creating this information stewardship culture. For example, it could be a specific role or an additional responsibility of the chief information security officer (CISO).  However, for this role to be successful, it needs marketing and change management skills as much as it needs traditional security skills.  
    
Another key to information stewardship is the adoption of best practices to secure information and IT services. These best practices represent the combined knowledge of the best brains in the industry.  However, be selective—not everything will apply to your organisation. In addition, it is important to require any outsourced IT services providers to also follow these standards.  Two important sources of best practices are COBIT from ISACA and ISO/IEC27001.

Creating optimal value
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from information technology by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 for Information Security, builds on the COBIT 5 framework in that it focusses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise.

ISO/IEC 27001:2005 is a well-established standard that provides a code of practice for information security management.  It is supplemented by ISO/IEC27002:2005 which provides detailed advice and control objectives.  The standard identifies 134 controls and provides detailed advice on this subject.  

About the author
Mike Small is a member of the London Chapter of ISACA Security Advisory Group, a fellow of the BCS, and an analyst at KuppingerCole. Mike Small will present at ISACA’s European Computer Audit, Control and Security/Information Security Risk Management Conference (EuroCACS/ISRM) in September. For details, visit www.isaca.org/CACS-ISRMEU2013.

About ISACA
With more than 100,000 constituents in 180 countries, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards.

ISACA Knowledge Center: www.isaca.org/knowledge-center

ISACA on Twitter: https://twitter.com/ISACANews

ISACA on LinkedIn: http://linkd.in/ISACAOfficial   

Please register to comment on this article