The 12-step program for information security

How Enron became the poster child for security

26 November 2014 by Scott M Fulton III

The 12-step program for information security
Jerod Brennan, principal consultant, Jacadis

It is the greatest contributor to corporate information security certainly in the last decade, perhaps the last quarter-century. And its creator, effectively, was Enron.

Today, Americans who may not even recall what Enron Corp. actually was or pretended to be, use "Enron" as an adjective to paint businesses with the broad brush of fraud and corruption. Enron was engineered as a complex accounting superstructure hiding an almost non-existent core business model, generating the appearance of revenue through the falsification of financial information. Before it filed for bankruptcy in 2001, its company slogan, sung by a strange electronic chorus in TV commercials, in its entirety, was "Why?"

The following year, ostensibly to prevent what it called "more Enrons," the U.S. Congress passed the Sarbanes-Oxley Act. "SOX," as it’s more commonly known, mandated new accounting structures and chains of responsibility within public corporations. Independent monitors and board members must now be put in place, whose sole jobs are to ensure the integrity of financial information and oversee its public disclosure.F

or a while, no one knew how best to carry out this mandate. At the dawn of the 21st century, as courts unraveled the complex systems that people carefully constructed for handling information intentionally wrong, there was no globally recognized, similarly complex system for handling it right. More to the point, businesses needed to be able to demonstrate they were at least trying to handle information right, should they be brought to court or accused of being an "Enron."

What does "right" look like?
What businesses needed at the very least was a reliable, approved list of best practices — one where any assessor could observe a businesses and tick off each check mark when it appears to be in compliance. The closest thing anyone had ever produced to such a list (with a sense of irony perhaps Monty Python would appreciate) was BS 7799, originated in Great Britain in 1995. It was a set of best practices that companies, lawmakers, and adjudicators could agree upon. In what passes for "quickly" with respect to standards, BS 7799 was worked into the international standard ISO 27001 in 2005.

Right at first, corporations wanted to be "ISO 27001-certified," although the standard wasn’t originally meant to be a certification process.  But when executives saw the degree to which technology and policy would need to coalesce to achieve the goal of appearing "certified," they began offloading the process to IT departments and to information security professionals — often separately.

And here is where the great contribution to information security was finally made.  In order to comply with executives’ demands that they be demonstrably in compliance with SOX, as well as with a new alphabet soup of other new regulations affecting the legal and healthcare industries, the infosec community helped the standards agency create an offshoot that spoke in their language: ISO 27002. It’s a set of compliance principles divided into 12 distinct categories — practical, explainable, common-language domains. Each of these domains is comprised of distinct tasks, or controls, that infosec could literally teach to everyday workers.

Jerod Brennan is an infosec professional — a principal consultant with Ohio-based Jacadis.  After having spent several years as infosec manager for a major global retailer, he discovered he had a talent for explaining ISO 27002 to executives in such a way that they could rapidly implement its principles in their organizations.

"My stance is, walk into an organization, go through that list of controls recommended by ISO, and develop an understanding of your environment as it aligns with the framework," Brennan told me. "Do some sort of controls assessment, then [help them] come to some understanding of, ‘Okay, these are the controls we could have implemented, so these are our gaps."

Following the controls assessment, Phase 2 of Brennan’s typical plan is what he calls a reasonable risk assessment. This is typically difficult to pull off, because it’s the part of the discussion (as any Twelve-Step Program veteran will attest) where the responsible parties have to admit that there’s a problem and that they’re responsible for it. Too often, he described, the leaders of risk discussions will assert that certain assets are not at risk today because they’ve never been attacked before.

Openly discussing the organization’s perceived risks often has an unexpected benefit, in Brennan’s experience: Organizations can learn which information assets have a lower security priority than others, often due to their relative degree of exposure to outside access. When organizations work with limited budgets, they’re often compelled to find ways to reduce costs. By drawing down the flags on information assets whose priorities they discover to be low, the high-priority assets more readily emerge.

"The risk of someone compromising internal systems hosting sensitive data," he explained, "due in part to their existing network architecture, is much more likely... They have exposures in that area, but what they had to do is take that understanding of their environment from that first phase, the controls assessment, and then put it in a language of risk."

With an assessment of the environment and a comprehensive understanding of risk, Brennan said that at this point, organizations need to come to the unexpected realization that all they have in their hands is speculation. "It’s a lot of discussion, and it’s a lot of maybe’s, and, ‘This might happen.’  What we found is, if you follow up those first few phases with some sort of vulnerability assessment and penetration test, where you use a combination of tools and people to try to exploit the risks that you’re most concerned about, at that point, leadership is going to sleep much better. If they take trained security professionals and have them attempt to compromise their systems and their people in the same way they’ve identified in the risk assessment, then they’re going to have actuarial data, measurable information, regarding how well their organization stands up to that type of attack."

For an organization to be resilient enough to sustain itself and maintain its business processes through these penetration tests ("pen tests"), everyone in the workforce must be educated as to proper physical and virtual information security conduct. In some organizations where executives are not very engaged with their employees, leadership comes from the IT department and/or infosec security professionals. For them, there’s ISO 27002 to provide the framework. However, in many organizations with small IT departments and potentially heavy litigation exposure, the C-suite drives the effort. ISO 27001 serves them with the proper agenda.

Getting everyone on board simultaneously
When the stars are all aligned, both departments can lead from the bottom up and the top down simultaneously, and both frameworks align with each other nicely to that end. One of the most public examples to date of an institution’s senior executives and security managers taking it upon themselves to jointly educate their entire workforce comes from, unsurprisingly, an educational institution.

In 2012, Indiana University implemented one of the nation’s first recipes for complete workforce security education. Internally, it was given the directive number IT-28; as an education initiative, it was called "12 Domains in 12 Months."

"IT-28 is more about, how do we architect IT at the university to be as efficient and as secure as possible?" explained one of its architects, IU Chief Security Officer Thomas R. Davis.

Although Davis and the university’s Chief Privacy Officer, Merri Beth Lavignino, didn’t work with Jerod Brennan, the fact that they were on the same wavelength is evident from this paragraph introducing the 12-step program to the public:  "An appropriate protection strategy, or Information Security and Privacy Program, must exist to promote safeguards that adequately protect information but do not impede its appropriate widespread use. The Program must respect the privacy of individuals and hold all individuals accountable to high ethical standards. It must also incorporate a sound risk assessment methodology, and provide for taking actions to address identified risks where necessary."

Beginning in March of that year, the university’s dedicated security officers and the university president jointly implemented educational programs and seminars for its entire workforce, including professors, secretaries, and literally anyone handling potentially sensitive information. Using ISO 27001/27002 as a guideline, they focused on simplified forms of the frameworks’ 12 domains:

  1. Risk assessment and treatment, including prioritizing the criticality of information assets
  2. Policy administration, in which leaders commit to putting forth their own principles in writing
  3. Organization, which refers to aligning storage and maintenance systems with the information assets they host
  4. Asset management, which relates to the ownership of those information assets wherever they reside
  5. Human resources, which refers to ensuring that owners of these assets have the tools they need to manage them
  6. Physical and environmental, dealing with the safeguards around where these humans work
  7. Communications and operations management, dealing with the operational guidelines of the resources in these environments
  8. Identity and access control, ensuring that access to information assets is guarded and auditable
  9. Information systems acquisition, development, and maintenance, documenting how resources are to be kept up-to-date over time
  10. Incident management, documenting and testing principles for sustaining resilience under stress
  11. Business continuity management, ensuring that the core business of the organization is maintained even under stressful conditions
  12. Compliance, ensuring that the results of these efforts are in keeping with legal and industry standards.

    "There’s a collaborative effort that has to go on," IU’s Davis told me, "in order to be able to get in a room and share the dangers of doing information security poorly, and the risks that we have to our intellectual property, and the research that our faculty members are conducting, and just the day-to-day operational business of the university. If we lose foundation records related to the donors who contribute money to the university, and that gets out, that’s pretty easy for C-level people to understand. So when you go into that kind of arrangement, where you’re sitting at the table and you have an opportunity to interact with another C-level person, have your elevator speech ready, and that you know the top two or three things that are risky right now in the environment, and explain it in ways that other people can take personally."

    History will show that it was no single information security breach or incident or vulnerability, but rather the Enron affair that triggered a series of events that awakened corporate executives to the realization that someone in authority will be looking in to see which sensitive information is at risk. It was then that companies and institutions realized they had better manage information as assets with calculable value. And it was soon afterward that the first real positive momentum toward securing organizations’ data centers, began in earnest.


Sign in

Forgotten Password?

Create MyDCD account


region LATAM y España North America Europe Em Português Middle East Africa Asia Pacific

Whitepapers View All