Embed Size (px)
DESCRIPTION
Journal of Computer Science and Engineering, ISSN 2043-9091, Volume 14, Issue 2, August 2012, http://www.journalcse.co.uk
Citation preview
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 14, ISSUE 2, AUGUST 2012 1
Compliance to the Information Security Maturity Model in Saudi Arabia
Malik F. Saleh, Muneer Abbad and Jaafar M. Alghazo
Abstract— The main aim of this study is to investigate best practices and the compliance level to our framework for organizations in Saudi Arabia and to identify the various factors that limit organizations from adapting security practices. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model was proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security. This study was undertaken to measure compliance to this model in organizations in Saudi Arabia. To identify the compliance level, a questionnaire approach was employed for different organizations in different sectors in Saudi Arabia. This study is a coninutation of a prior research.
Index Terms— Maturity Model, Security Maturity Model, best practices of security.
—————————— u ——————————
1 INTRODUCTIONNE problem with organizations’ security is that it is often viewed in isolation and organizations do not link the security requirements to the business goals.
The rationale for these organizational problems is linked to the financial obligations that organizations face for un-necessary expenditure on security and control. Some of the information security efforts may not achieve the in-tended business benefit, resulting in lack of security and financial investments in systems that do not represent the core systems of an organization. To ensure security, it is important to build-in security in both the planning and the design phases and to adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly [1]. Organizations must consider many factors that affect security. Four domains were identified that affect security at an organization. First, organization governance is one factor that affects the se-curity of an organization. Second, the organizational cul-ture affects the implementation of security changes in the organization. Third, the architecture of the systems may represent challenges to the implementation of security requirements. Finally, service management is viewed as a challenging process in the implementation [2].
This research is a continuation of a prior research that provides evidence, through a quantitative work, that se-curity at organizations must follow a framework to achieve the organizations objective of security. This work narrows the gap between theory and practice for infor-mation security by measuring the security at organiza-tions in Saudi Arabia by following a process of a security maturity model. We stress the fact of using a framework to develop a model that can be widely used by organiza-
tions. This approach, if developed without an under-standing of the organizational culture, will impact the effectiveness of the implementation and the human reac-tion to the use of new technologies. The organization cul-ture often hinders the success of this approach and the delivery of the intended benefits of the implemented se-curity model or standard.
2 BACKGROUND AND RELATED WORK The motivation for this paper was due to challenges of assessing the implementation of security at organizations. In addition to implementation challenges, accomplishing best practices in the implementation of security is needed and it was undertaking in a prior research [2]. An infor-mation assurance model was introduced based on dili-gence model where assurance is achieved by an organiza-tion conducting a self study. An organization would re-view its security and its countermeasures to assess its vulnerability. The study was based on tangible best prac-tices implemented by the organization. The study also did benchmarking, risk assessment and provided trustworthy and conformance score of security. The concept of maturity models is increasingly being ap-plied within the field of Information Systems as an ap-proach for organizational development or as means of organizational assessment [3-5]. Any systematic frame-work for carrying out benchmarking and performance improvement can be considered as a model and if it has continuous improvement processes it can be considered a maturity model. Maturity implies a complete system. Generally, in the constituent literature maturity implies perfect or explicitly defined, managed, measured, and controlled system [6]. It is also a progress in the demon-stration of a specific ability or in the accomplishment of a target from an initial to a desired end stage. In order to identify and explore the strength and weak-
———————————————— • M.F. Saleh is with Prince Mohammad Bin Fahd University. • M. Abbad is with Prince Mohammad Bin Fahd University. • J. M. AlGhazo is with Prince Mohammad Bin Fahd University.
O
2
nesses of particular organization’s security, a wide range model has been developed. The purpose is to identify a gap between the practice and theory which then can be linked together by following a process-oriented approach. We introduce a maturity model that provides a starting point for security implementation, a common and shared vision of security, and a framework for prioritizing ac-tions. Moreover, this information security model has five compliance levels and four core indicators to benchmark the implementation of security in organizations. This framework of security maturity model is intended as a tool to evaluate the ability of organizations to meet the objectives of security, namely, confidentiality, integrity, and availability while preventing attacks and achieving the organization’s mission despite attacks and accidents. The proposed model defines a process that manages, measures, and controls all aspect of security. It relies on four core indicators for benchmarking and as an aid to understanding the security needs in the organization. These indicators are goal-driven to achieve the security needs. While it is hard for security practitioners and decision makers to know what level of protection they are getting from their investments in security, it is even harder to estimate how well these investments can be expected to protect their organizations in the future as security poli-cies, regulations and the threat environment are constant-ly changing [7]. An information system would transition between several distinct vulnerability states. The first state is hardened and it occurs when all security-related corrections, usually patches, have been installed. The se-cond is vulnerable and it occurs when at least one securi-ty-related correction has not been installed. The final state is compromised and it occurs when it has been success-fully exploited [8]. Within these states, metrics need to indicate how secure the organization is so that the win-dow of exposure can be minimized by the security opera-tions teams in an organization by following a standard patching process to eliminate vulnerability and any asso-ciated risks. The security team either deploys patches af-ter vulnerability was first disclosed or updates signatures that are associated with attacks. The longer the window of exposure, the more the organi-zation is exposed to attacks and exploits. The magnitude of risks is minimized if organizations are conscious about their security needs. Therefore the proposed Information Security Maturity Model (ISMM) considers five levels of compliance. Security is believed to improve as the organi-zation moves up these five levels: The first level is the none-compliance level and it is characterized by none existence of policies and procedures to secure the busi-ness. While level five is characterized by having full com-pliance to the framework and it has best practices in secu-rity.
2.1 None Compliance This state is characterized by none existence of policies and procedures to secure the business. Management does not consider investing in security related systems neces-sary for the overall business strategies. In addition, the organization does not assess the business impact of its vulnerabilities and it does not understand the risks in-volved due to these vulnerabilities. 2.2 Initial Compliance
This state is the starting point for any organization that wants to protect its investment and ensure continuity. Application and network security is implemented but changes are not centrally managed and ad hoc security requests are common. In this state, organizations trust the interaction between the user and the systems. Security awareness programs are being considered for key re-sources only. IT security procedures are informally de-fined and some risk assessments taking place. In addition, responsibilities for IT security have been assigned but enforcement is inconsistent. Some intrusion and detec-tion testing can also be performed.
A fundamental process to most systems is the interac-tion between the system and the user. According to [9], this interaction is the greatest risk. Organizations don’t classify their users as threats to their systems. The user does not always cause a threat in isolation; rather, the actions of users are the starting point for some attacks, and in some cases, the users themselves may launch the attacks. Weak passwords, susceptibility to social engi-neering attacks, and failure to install security updates are some examples of why the user is classified as the weak human factor and the user's interaction with the systems create threats [10]. The goals at this level are usually centered on the busi-ness activities of the organization and the protection of core systems. Usually, an organization will consider the security of a system after the system’s implementation. Two restrictions are faced at this stage: First, financial restriction and spending on systems that don’t add value to the income of the business. Second, organizations clas-sify their initial investments in security as completed. Organization will have a perception that their systems are protected and they become unaware of the threats and vulnerabilities. 2.3 Basic Compliance
This state is characterized by central management of all security related issues and policies. Users are trusted but their interactions with the systems are viewed as vul-nerability. No ad hoc changes and central configuration models, from which all configurations are derived, are implemented. Security policies and procedures are now in place together with adequate delivery mechanisms to aid awareness and compliance. Access controls are man-datory and are closely monitored. Security measures are introduced on a cost/benefit basis and ownership concept
3
is in place. There is a school of thought that maintains that it is not
the users’ fault that they perform the easiest action; ra-ther, it is the designers fault to have made the most inse-cure operation the easiest operation [10]. Since the actions of users are the starting point for some attacks, there is a need to inculcate a “culture of security” in users. Many users have to remember multiple passwords. They use different passwords for different applications and have frequent password changes, which reduces the users’ ability to remember passwords and increases insecure work practices, such as writing passwords down [11]. For organizations to secure the interactions with their sys-tems, communication between the security team and the users must take place to keep the users informed of pos-sible threats. In addition, the users do not understand security issues, while the security team lacks an under-standing of users' perceptions, tasks, and needs. The re-sult according to [10] is that the security team typecast the users as threats that need to be controlled and managed, at worst, they are the enemy within. Users, on the other hand, perceive many security mechanisms as an overhead that gets in the way of their real work. The goals at this state are usually centered on the busi-ness activities, the users, and monitoring security threats and all related patches are tested and implemented. Usu-ally, organizations at this state are conscious about their security needs and they invest in systems that protect the organization. 2.4 Acceptable Compliance
This state is characterized by central management of all security related issues and policies. Users are trusted but their interactions with the systems are viewed as vul-nerability. No ad hoc changes and central configuration models, from which all configurations are derived, are implemented. Security policies and procedures are now in place together with adequate delivery mechanisms to aid awareness and compliance. Access controls are man-datory and are closely monitored. Security measures are introduced on a cost/benefit basis and ownership concept is in place.
There is a school of thought that maintains that it is not the users’ fault that they perform the easiest action; ra-ther, it is the designers fault to have made the most inse-cure operation the easiest operation [10]. Since the actions of users are the starting point for some attacks, there is a need to inculcate a “culture of security” in users. Many users have to remember multiple passwords. They use different passwords for different applications and have frequent password changes, which reduces the users’ ability to remember passwords and increases insecure work practices, such as writing passwords down [11]. For organizations to secure the interactions with their sys-tems, communication between the security team and the users must take place to keep the users informed of pos-sible threats. In addition, the users do not understand security issues, while the security team lacks an under-
standing of users' perceptions, tasks, and needs. The re-sult according to [10] is that the security team typecast the users as threats that need to be controlled and managed, at worst, they are the enemy within. Users, on the other hand, perceive many security mechanisms as an overhead that gets in the way of their real work. The goals at this state are usually centered on the busi-ness activities, the users, and monitoring security threats and all related patches are tested and implemented. Usu-ally, organizations at this state are conscious about their security needs and they invest in systems that protect the organization. 2.5 Full Compliance
This state is characterized by having control over the security needs of the organization, monitoring the sys-tems, being aware of threats and benchmarking by com-paring the organization itself to other similar organiza-tions and to international standards. In addition, a com-prehensive security function has been established that is both cost effective and efficient which delivers high quali-ty implementation. This comprehensive plan has formal policies and procedures in place to prevent, detect, and correct any security related issues. Also, corporate gov-ernance is aligned with the security needs of an organiza-tion. Corporate governance has policies for internal audit-ing which is independent and objective activity designed to add value and improve the security of the organiza-tion. The result of any audit activity is published and ac-tions are implemented.
For organization to have full compliance security is managed by identifying the security concerns and securi-ty incidents are tracked in a systematic way. The organi-zation must have proper policies for security in a formal sense and business plans would have items for security. The use of specific technologies throughout the organiza-tion is in a uniform manner and the implementation came to existence out of a business plan.
Full compliance also considers the security architecture in an organization. While the business architecture con-siders all external factors in an organization, the security architecture considers all users in the implementation. Policies are created to meet the needs of the users and information in or out of the organization are captured. A system for providing traceability through the organiza-tion is in place. Users are also involved in architectural analysis and the organization offers training for the users in security related issues. As for management of security, policies in the full com-pliance state have preventive, detective and corrective control. The organization must have a system for report-ing security incidents and for tracking the status of each incident. Installing anti-virus software and firewall is not enough to control the threats the organizations face. Email filters and intrusion detection systems must also be used to prevent many types of incidents.
4
3 METHODOLOGY AND DATA ANALYSIS
The main aim of this study is to investigate best practices and the compliance level to our framework for organizations in Saudi Arabia and to identify the various factors that limit organizations from adapting security practices. To identify the compliance level, a questionnaire approach was em-‐‑ployed in this research study to obtain the most appropriate information from organizations in different sectors in Saudi Arabia. A delivery and collection questionnaire was used as a method for obtaining data from mid-‐‑size and large organi-‐‑zations. Small organizations were not surveyed because se-‐‑curity practices, policies and procedures to secure the busi-‐‑ness don’t exist in a formal sense and management of small organizations do not consider investing in security related systems necessary for the overall business strategies. In addi-‐‑tion, small organizations in Saudi Arabia don’t understand the risks involved due to information security vulnerabilities and they don’t assess the business impact. Representatives of these mid-‐‑size and large organizations were choosing because of their knowledge in the organiza-‐‑tion and their knowledge about information security. Rep-‐‑resentatives of these organizations were briefed on the study, its measures, and the compliance levels. Those organ-‐‑izations that kindly agreed to co-‐‑operate and completed the questionnaires formed the sample for the study. To complete the study an average of two hours are needed to answers all the questions and the answers require detailed knowledge of the organization structure and practices. Information about participating organizations cannot be shared with the public, but the finding of the study will be shared with everyone. The Statistical Package for Social Science (SPSS) was used to analyze the data collected from the questionnaires. The sta-‐‑tistical methods used were the descriptive statistics (such as the ratios, mean, standard deviation SD…etc).
3.1 Sample Descriptions Participants of the study consisted of organizations in Saudi Arabia. Fifty questionnaires were distributed to the study sample with voluntarily participation. The total number of participating organizations was thirty organi-‐‑zations, representing a 60% response rate. The total num-‐‑
ber of organizations that chose not to participating be-‐‑cause they don’t want to release information about their organizations was eight, representing 16%. Finally, twelve organizations were characterized as small organi-‐‑zation, refused to participate because they don’t have security practices in place, representing 24%. Therefore thirty organizations representing different sectors partici-‐‑pated in the survey. Those organizations were catego-‐‑rized into seven sectors: banks and financial, petrochemi-‐‑cal, hospitals, energy and utilities, telecommunication, insurance, and others as in table 1.
3.2 Survey Descriptions The questionnaire used in this study consisted of four main sections. The first section included questions regarding management practices and the existence of proper policies for security in the organization in a formal sense and wheth-er the management of the organization considers the organi-zation’s security when making business plans. Management practices were reflected on the types of systems that protect the organization, the organization security concerns, and the security incidents that the organization faced. The second section included questions regarding service management and how the organization handled the attacks. Practices of the service management were reflected in the tools that the organization used to respond and document the attacks. The third section included questions regarding the enter-prise architecture, the role of the users, and whether the ar-chitecture considered all external factors that affect the en-terprise. The enterprise architecture affected the security architecture and the continuous improvement process. The fourth section included questions regarding the corpo-rate governance, the internal audit process and regulatory compliance. The corporate governance section contained questions which explored the independence of the decision making process at the corporate level. Each main section of the survey consisted of subsections. Questions in the subsections produced a result that summa-rized the answers for that section. The average for all subsec-tions produces the results that we considered as the compli-ance level. Table 2 lists the subsections and the descriptive statistics for all seven sectors in this study.
Fig. 1. Levels of Compliance.
TABLE 1 PARTICIPATING ORGANIZATIONS BY SECTOR
No. Sector No. of Partici-‐‑pants
1 Banks & Financial 6 2 Petrochemical 2 3 Hospitals 4 4 Energy and utilities 2 5 Telecommunication 3 6 Insurance 3 7 Others 10
Total 30
5
3.2 Survey Descriptions The questionnaire used in this study consisted of four
main sections. The first section included questions re-garding management practices and the existence of prop-er policies for security in the organization in a formal sense and whether the management of the organization considers the organization’s security when making busi-ness plans. Management practices were reflected on the types of systems that protect the organization, the organi-zation security concerns, and the security incidents that the organization faced.
The second section included questions regarding ser-
vice management and how the organization handled the attacks. Practices of the service management were reflect-ed in the tools that the organization used to respond and document the attacks.
The third section included questions regarding the en-
terprise architecture, the role of the users, and whether the architecture considered all external factors that affect the enterprise. The enterprise architecture affected the security architecture and the continuous improvement process.
The fourth section included questions regarding the
corporate governance, the internal audit process and reg-ulatory compliance. The corporate governance section contained questions which explored the independence of the decision making process at the corporate level.
Each main section of the survey consisted of subsections. Questions in the subsections produced a result that sum-marized the answers for that section. The average for all subsections produces the results that we considered as the compliance level. Table 2 lists the subsections and the descriptive statistics for all seven sectors in this study.
TABLE 2 PARTICIPATING ORGANIZATIONS BY SECTOR
Description
Sectors Min Max Mean Std.
Deviation
Appropriate-‐‑
ness of Man-‐‑
agement Prac-‐‑
tices
7 3.50 5.00 4.38 .59677
Types of Se-‐‑
curity Sys-‐‑
tems
7 4.00 5.00 4.71 .48795
Computer
Security Con-‐‑
cerns
7 4.00 5.00 4.69 .41356
Computer
Security Inci-‐‑7 1.50 3.00 2.16 .49889
dents
Appropriate-‐‑
ness of the
Service Man-‐‑
agement
7 3.35 4.86 4.20 .54399
Management
of Major Inci-‐‑
dents
7 1.00 4.46 3.25 1.120
Appropriate-‐‑
ness of the
Enterprise
Architecture
7 3.13 5.00 4.10 .691
Security Ar-‐‑
chitecture 7 2.99 5.00 4.27 .752
Continuous
Improvement 7 3.00 4.87 4.14 .709
Appropriate-‐‑
ness of the
Corporate
Governance
7 2.67 4.91 3.54 .791
3.3 Security Framework Benefits Mid-size to large organizations in Saudi Arabia are implementing best practices. Analyzing the data based on the participating organizations, the range of com-pliance was between Initial Compliance with 2.2 stars to full compliance with 4.7 stars to this maturity mod-el. Analyzing the data based on sectors, the range of compliance was between Acceptable Compliance with 3.6 stars to full compliance with 4.7 stars to this ma-turity model.
This maturity model shows that investing in computer security is not only a good investment, it produces immediate benefits as well. It was reflected in the level of compliance to this model and in the fact that organ-izations had good security practices and the range of security incidents was between 1.5 to 3.0 stars. Organ-
TABLE 1 PARTICIPATING ORGANIZATIONS BY SECTOR
No. Sector No. of Partici-‐‑pants
1 Banks & Financial 6 2 Petrochemical 2 3 Hospitals 4 4 Energy and utilities 2 5 Telecommunication 3 6 Insurance 3 7 Others 10
Total 30
6
izations that achieved 1.5, their compliance levels were Full Compliance to this model. While organiza-tions that achieved 3.0 stars they had an Initial Com-pliance.
This model also points to the fact that organizations in Saudi Arabia are investing in security to implement best practices and to protect their businesses. In addition, the culture of Saudi Arabia is not geared towards malicious behavior and hacking. Most organizations that had at-tacks, these attacks are financial in nature.
3.4 The Impact of the Framework on Security The aim of this security maturity model is to investigate best practices of security. It is clear that security is a mov-ing target and organizations are not protected even though they are implementing systems to secure the business. The analysis of the data shows that organiza-tions that are aware of their security practices are sup-ported by best management practices as in figure 2.
Fig. 2: Management Practices Although corporate governance plays a critical role is supporting security practices, weaknesses in corporate governance did not affect management practices in nega-tive ways. Companies that needed further improvement in corporate governance their management practices’ scale exceeded the corporate governance as in fig. 3.
Fig 3: Corporate Governance vs. Management Practices
3.5 Security Framework Limitations Analysis of the collected data showed that organizations that implemented different security systems and their computer security concerns covered all aspects of security were not protected from security attacks as in figure 4. The scale for implemented security systems and the secu-rity concerns ranged from 4 (lowest) to 5 (highest). While the scale of computer security incidents ranged from 1.50 (lowest) to 3.0 (highest) as in Table 2. The results can be interpreted in two ways: First, despite the fact that organ-izations have best practices of security, they are not fully protected and it can be concluded that the security is a moving target and organizations need to plan for the worst. Second, the data can point to the fact that organiza-tions implemented security systems after the security in-cidents affected the business.
Fig 4: Protection from Attacks Many key factors are affecting the concerns of organiza-tions. The first factor is the number of major security inci-dents that disrupted the business at organizations. The Insurance sector reported the most incidents followed by the Banking and Financial sector. This is an indication of the fact that security breaches were financial driven. In the contrary, Hospitals had the fewest breaches as the business nature of hospitals is information driven rather than financial driven. Figure 5 illustrates the fact.
7
Fig 5: Major Incident
4 CONCLUSION AND SUMMARY OF FINDINGS The main findings of this research are presented in the following points:
1. This security framework shows that investing in computer security is not only a good investment; it produces immediate benefits as well.
2. Organizations in Saudi Arabia are utilizing the wealth in the kingdom to implement best prac-tices
3. The framework shows that these organizations are achieving acceptable to full compliance to our model.
4. The culture in Saudi Arabia is not geared to-wards malicious behavior and hacking. Most or-ganizations that had attacks, these attacks are not financial in nature.
The limitations of the framework are summarized in the following points:
1. Organizations that implemented different securi-ty systems and their computer security concerns covered all aspects of security were not protected from security attacks
2. This model failed to identify whether organiza-tions implemented security before the attacks or after the business was disrupted by the attacks.
3. Although corporate governance plays a critical role is supporting security practices, this model shows that weaknesses in corporate governance did not affect management practices in negative ways.
5 Implications and Contributions The results of this study could help companies in Saudi Arabia follow peer organizations in implementing securi-ty and to consider the limitations faced by others. For example, understanding that security is a moving target would encourage organizations to develop effective busi-ness continuity and a disaster recovery plan. It is im-portant for organizations to implement best practices to secure the business; however, this implementation must
be abridged by business continuity plan in case of unfore-seen events. To ensure continuity, organizations must build real-time survivability into the overall information function.
ACKNOWLEDGMENT The authors wish to thank Prince Mohammad Bin Fahd Univerisity for the support provided in publishing this research.
REFERENCES [1] Amer, S.H. and J. John A. Hamilton, Understanding security architec-
ture, in Proceedings of the 2008 Spring simulation multiconference. 2008, Society for Computer Simulation International: Ottawa, Canada. p. 335-342
[2] Saleh, M.F., Information Security Maturity Model International Journal of Computer Science and Security (IJCSS), 2011. 5(3): p. 21
[3] Ahern, D., A. Clouse, and R. Turner, CMMI distilled: A practi-cal introduction to integrated process improvement. 2004, Bos-ton, London: Addison-Wesley
[4] Chrissis, M.B., M. Konrad, and S. Shrum, CMMI: Guidelines for Process Integration and Product Improvement. 2008, Upper Saddle River, NJ: Addison-Wesley
[5] Mettler, T. and P. Rohner. Situational Maturity Models as In-strumental Artifacts for Organizational Design. in Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology. 2009. Philadelphia, Pennsylvania: ACM
[6] Fraser, M.D. and V.K. Vaishnavi, A formal specifications ma-turity model. Commun. ACM, 1997. 40(12): p. 95-103
[7] Beres, Y., et al., Using security metrics coupled with predictive modeling and simulation to assess security processes, in Pro-ceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement. 2009, IEEE Computer Society [download]. p. 564-573
[8] Arbaugh, W.A., W.L. Fithen, and J. McHugh, Windows of Vul-nerability: A Case Study Analysis. IEEE Computer, 2000. 33(12): p. 52 - 59
[9] Schneier, B., Secrets and Lies: Digital Security in a Networked-World. 2000, New York: John Wiley & Sons, Inc
[10] Vidyaraman, S., M. Chandrasekaran, and S. Upadhyaya, Posi-tion: the user is the enemy, in Proceedings of the 2007 Workshop on New Security Paradigms. 2008, ACM: New Hampshire. p. 75-80
[11] Brostoff, S. and M.A. Sasse, Safe and sound: a safety-critical approach to security, in Proceedings of the 2001 workshop on New security paradigms. 2001, ACM: Cloudcroft, New Mexico. p. 41-50
Malik F. Saleh is a professor at Prince Mohamamd Bin Fahd Uni-versity in the Kingdom of Saudi Arabia with over 15 years of teaching experience. Dr. Saleh Chaired the MIS department and he has a
8
leadership role in the maintenance of academic standards and in the development of educational policy and of curriculum areas within the University. Muneer Abbad is a professor at Prince Mohamamd Bin Fahd Uni-versity in the Kingdom of Saudi Arabia. Jaafar M. AL Ghazo is the dean of the College of Computer Engi-neering and Sciences.
