We chose in this issue to cover both the FFIEC IT Examination handbook for Information Security as well as for Operations because Information Security provides the direction, while Operations provides the in-depth execution.
The FFIEC IT Examination Handbook -- Information Security (341 controls) provides guidance to examiners and organizations on assessing the level of security risks to the organization and evaluating the adequacy of the organization's risk management.
In terms of completeness and comparison, Information Security's 341 controls is larger than any of the other highly prescriptive authority documents, such as Payment Card Industry Data Security Standard (PCI-DSS) (191 controls), NIST 800-53 (195 controls), CobiT 4.1 (276 controls), and ISO 27002:2005 (243 controls).
Despite its comprehensiveness, coupling this handbook with the FFIEC IT Examination Handbook -- Operations (221 controls) will form a cohesive whole as this document overlaps Information Security a great deal and provides more depth to those controls than does Information Security.
Leadership and high level objectives: Information Security focuses somewhat on the topic of leadership and high level objectives by calling for the analysis of functions and activities, the classification of information, the identification of processes and systems critical to the organization, and the establishment of an information architecture model.
In the realm of maintaining asset discovery trails, Operations picks up where Information Security leaves off. It delves into the different surveys and inventories which must be maintained, even picking up on the need for a document, database, and message inventory. Understanding which assets have which documents, databases, and messages is crucial. According to the 2008 Data Breach Investigations Report released by Verizon Business, 66 percent of breaches involve data that the victim didn't realize was on the system. Without asset discovery trails and an active and well-maintained information inventory, it's easier than you think to let security management slip on systems that should be highly protected.
Audits and risk management: Within the realm of audit and risk management, both handbooks are heavily concentrated on risk assessment controls, such as correlating the risk assessment to a business impact, and making the risk assessment approach transparent. This allows others to understand how safeguard selections are prioritized in the light of the risk assessment findings.
Monitoring and measurement: It seems strange that both Information Security and Operations were incomplete in this area, given the fact that both address risk and security.
While both authority documents call for operationalizing key monitoring and logging concepts, neither of them pick up on such detailed controls as identifying log event types, identification mechanisms within the logs, or even managing the access trails to the logs (so that they can be used as forensic evidence). While none of the FFIEC examination handbooks deal with the detailed controls surrounding log management, NIST 800-92 is completely dedicated to the topic and should be consulted by any financial firm for detailed guidance.
Both handbooks do provide a decent amount of information on the interpretation of logs, such as compiling audits into a time-correlated audit trail and reviewing the logs regularly.
Access management: Information Security is heavily laden with access controls. It contains everything from network configuration controls to firewall design controls and even application and object access and separation enforcement controls.
What is interesting is the number of controls surrounding information flow enforcement, where Information Security is almost as in-depth as the US Government's NISPOM (DoD 5220.22-M, National Industrial Security Program Operating Manual). For example, one control states, "when system data is transmitted between separate parts of the system, it should be protected from modification, loss of use, and disclosure."
Physical security: Both Information Security and Operations have a fair amount of in-depth (and overlapping) controls surrounding physical security.
IT human resources: Within the realm of IT human resources, the Information Security guide sets the higher level controls, and Operations then fills in the details, beginning with aligning IT staffing to operational goals.
Operations provides additional detailed information in regards to security clearances for IT staff, proper training and extending the same controls to third parties.
Operational management: Finally, within the realm of operational management, the Operations guide once again is at the forefront with such topics as:
Roles and responsibilities
Establishing and maintaining the compliance framework
Policies and procedures
Help desk and problem escalation
There is in-depth information provided by both Information Security and Operations on Change Management. Both guides cover everything from basic change management through emergency changes, software release policies, patch management, change documentation and even systems re-deployment or disposal.
Both handbooks, if taken together, form the basis of an excellent information security framework. Together they are more thorough than any other highly regarded individual IT security authority documents mentioned above. Apart, they are just not complete.
About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.
This was first published in July 2008