Read Service Management Functions: Security Management (Part 1)

For the latest information, please see http://www.microsoft.com/mof

On this page 

• Relationship to ITIL, ISO 17799:2000, and Microsoft SMFs
• Key Performance Indicators
• Appendices
  

Relationship to ITIL, ISO 17799:2000, and Microsoft SMFs  

The Microsoft Security Management service management function (SMF) fits within the well-defined structure of the Microsoft Operations Framework (MOF).

Figure 11: MOF quadrants

MOF provides operational guidance in white papers, operations guides, assessment tools, best practices, case studies, templates, support tools, and services. This guidance is for the people, process, technology, and management issues that pertain to complex, distributed, heterogeneous information technology (IT) environments.

Security Management fits within the Optimizing Quadrant, as defined by MOF, and is dedicated to driving changes to optimize cost, performance, capacity, and availability in the delivery of IT services. The relationship among security and the other MOF services is unique, because the development of an organizational security program directly affects all other areas.

In addition, the Security Management SMF is also aligned with two major industry standards: the Information Technology Infrastructure Library (ITIL) and the International Organization for Standards (ISO) / International Electrotechnical Commission (IEC) 17799:2000 International Standard.

Industry Standards

ITIL

The ITIL Best Practice for Security Management book is designed to provide help to organizations that are implementing secure IT environments. Like the Security Management SMF, the book is part of a larger body of documentation, called ITIL, which offers guidance on the development and implementation of best practices in IT management.

Like the Security Management SMF, ITIL advocates a continuous process loop that establishes security and then uses gathered information to improve security policies. ITIL places greater emphasis than the Security Management SMF does on the role of security within other IT management functions. The Security Management SMF regards security management as a discrete discipline that influences the development of other IT management functions.

ISO 17799:2000

ISO 17799 is a standard for security management and relates closely to the Security Management SMF. The ISO 17799 approach includes discussions of operational areas not addressed within this SMF, such as physical and environmental security. The ISO documentation also analyzes specific implementation issues in addition to organizational policy development.

The reason for the divergent approaches is the structure that MOF places upon IT within the organization. Although security affects most IT functions, the management of security fits within the Optimizing Quadrant, where development of best practices occurs. Much of the ISO documentation focuses on areas within the Operating Quadrant, where plans are implemented and deployed. This subtle difference is an important one because it allows business and IT managers to differentiate strategy from day-to-day management within a security program.

Related Microsoft SMFs

Security affects all service management functions to some degree. This SMF has specified particular relationships with the following:

• Availability management
• Change management
• Incident management
• Problem management
• IT Service continuity management
• Service desk
• Service level management
• Service monitoring and control

Availability Management SMF

Availability management ensures that incidents that affect service do not occur, or that timely and effective action is taken when they do. Security issues can cause risks to availability. Countermeasures employed to help mitigate these risks are designed to work within the organizational security policy. Risks to availability exist throughout the whole IT infrastructure and within every management process. Although not directly responsible for each of these processes, availability management is responsible for making sure that all areas of risk to availability are taken into account and that the IT infrastructure and management processes that support a given IT service are adequate.

For more information about availability management, see the Availability Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/
msm/smf/smfavamg.mspx.

Change Management SMF

The Change Management SMF provides a disciplined process for introducing required changes into the IT environment with minimal disruption to ongoing operations. It is essential that change management ensures that appropriate security features and elements are included in the change development, so that security is not compromised during deployment, and any additions or changes to security practices are implemented correctly. The standards developed through the security management process influence the goals and practice of change within an organization. The Change Advisory Board must include a security expert who fully understands the implications of a change on organizational security, sponsoring changes that enhance the security policies.

For more information about change management, see the Change Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/
msm/smf/smfchgmg.mspx.

Incident Management SMF

Incident management usually focuses on restoring normal service as quickly as possible. Exceptions include cases where malicious intent is suspected or a security exposure is identified. In such cases, the support staff works alongside security staff in accordance with the organizational security policy and procedures for handling security incidents. Legal or regulatory rules might specify that available evidence be preserved for use during legal or disciplinary proceedings.

Security management works with the incident management process to ensure that policies exist for handling security incidents. These policies aim to ensure a fast response to any security-related incidents, while also ensuring that evidence is preserved. Security policies influence major incident procedures when either a serious loss or impact is sustained, or where a major vulnerability is exposed.

For more information about incident management, see the Incident Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/
msm/smf/smfincmg.mspx.

Problem Management SMF

Problem management investigates and analyzes the root causes of incidents. Problem management initiates changes to internal processes, procedures, or the IT infrastructure to resolve the underlying problem or provide a temporary workaround. In investigating and resolving issues, problem management must ensure that changes are consistent with security safeguards and adhere to the organizational security policy.

For more information about problem management, see the Problem Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/
msm/smf/smfprbmg.mspx.

IT Service Continuity Management SMF

IT service continuity manages the ability of an organization to continue to operate and provide IT services at all times. This availability is accomplished through a balance of risk-reduction measures, such as resilient systems and recovery options, including backup facilities. Successful implementation of contingency management must have a specific focus on maintaining a secure operating environment as an integral component of any continuity plan.

For more information about continuity management, see the IT Service Continuity Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/msm/smf/smfsrcmg.mspx.

Service Desk SMF

The service desk is a single point of contact for customers and service technicians. It provides communication, information, and resolutions to customers who have issues with their IT infrastructure. The service desk also provides an organized and coordinated front line to its technical support staff members, who are working independently in various geographical locations.

The security management function is involved with setting policies on how the service desk reacts to security and access requests, such as password resets, new accounts, access to applications, and deletion of old accounts.

For more information about service desk management, see the Service Desk SMF at http://www.microsoft.com/technet/itsolutions/techguide/msm/smf/smfsvcdk.mspx.

Service Level Management SMF

Service Level Agreements (SLAs) are the key business input that defines the thresholds for the security requirements of an organization. Information confidentiality, integrity, and availability are important elements of most SLAs. They are used as metrics for IT services today, setting business requirements for online and other data critical systems, and they are a legal obligation in many countries. An example of this is the United Kingdom Data Protection Act of 1998. Security policy designers must ensure that they can deliver the service required in the SLA.

For more information about service level management, see the Service Level Management SMF at http://www.microsoft.com/technet/itsolutions/techguide/msm/smf/smfslamg.mspx.

Service Monitoring and Control SMF

Service monitoring and control manages the well being of information systems. Security is also maintained through service monitoring functions. It is therefore essential that Service Monitoring and Control establishes system management processes that reflect the requirements of the security policies and feeds back into the revision and design of those policies. By establishing severity-level prioritization standards, the Service Monitoring and Control function can be used within an incident response process to identify conditions that indicate that a security breach has occurred and components are at risk.

Security management relates closely to service monitoring and control and acts as a filter to ensure compliance with corporate security standards to maintain security. Because changes in security policies might require changes to the architecture of service monitoring and control tools, these changes must incorporate an awareness of the capabilities of the service monitoring and control process to deliver security performance management and diagnostic information.

For more information about service monitoring and control, see the Service Monitoring and Control SMF at http://www.microsoft.com/technet/itsolutions/techguide/msm/smf/smfsmc.mspx.

Security Risk Management Guide

The Security Risk Management Guide uses industry standards to deliver an effective, business-focused approach to security risk management. The approach uses qualitative, quantitative, and return-on-investment analysis techniques, together with best practice approaches, to identify steps in the risk assessment process that provide the basis on which an organization can make good decisions about risk and mitigation.

The Security Risk Management Guide develops the information available within the Security Management SMF, and particularly those in the Processes and Activities sections concerning assets and the risk assessment process.

For more information about security risk management, see the Security Risk Management Guide at http://go.microsoft.com/fwlink/?linkid=30794.

Key Performance Indicators  

Key performance indicators (KPIs) must be quantifiable measurements that reflect the success factors of the security program for an organization. KPIs depend on the security goals identified and documented within the organization’s security policies. To develop such quantifiable metrics, it is essential that the security program have:

• KPIs for all policies, standards, and procedures, where appropriate.
• Baseline measurements.
• Security auditing processes that measure change.
• Reporting processes that enable comparative analysis.

The wording of KPIs is important. If these are global or vague goals, such as “Ensure security of all information” or “Be secure,” it is impossible to identify levels of improvement and areas where a security policy is failing to deliver increased success. It is also important to define the KPIs so that they can remain consistent and act as standards for yearly measurement.

The organization must limit KPIs selected to those that exhibit factors that are essential to achieving security goals. Having only a few focused KPIs concentrates effort on areas that are of high value to the organization. For example, a company that uses the Internet extensively to promote products puts emphasis on the integrity and availability of information, whereas one that provides discrete financial services may spotlight confidentiality controls as an indicator of increased security performance.

Quantitative KPIs for security policies are based on recorded security incidents across defined results-gathering periods. The granular nature of these records means that KPI measurements for the organizational security policy and other high-level policies, such as e-mail or network security policies, are developed from aggregated measurements.

For example, these may include:

• Security incident detection. This indicator shows the success of controls implemented to detect security attacks. The goal should be to have a 1:1 ratio between security incidents and security incident detection. This means that the detection controls are 100 percent successful. This category may be subdivided to review control types or individual controls.
• Security defense incidents. This category shows the success of defense controls in dealing with security attacks. The goal should be to have a 1:1 ratio between security incidents and successful security defense actions. This would mean that defense controls are 100 percent successful. This category may be subdivided to review control types or individual controls.
• Security breaches. This category shows the number and type of security breaches identified. The breach should be categorized by control types and used as an input within security review processes.
• Security breach recovery. This category shows the elements of recovery from a security breach. This would have subcategories covering areas such as:
  • Recovery time.
  • Completeness of data recovery.
  • Volume of data loss.
  • Number of users affected by incident.

These quantitative metrics act as inputs to a hierarchical set of KPIs that ultimately measure the success of the organizational security policy.

Hierarchical Key Performance Indicators

Limiting the security goals within a policy does not mean that the entire business has only a few KPIs. Rather, it is the case that different functions within the organization undertake the monitoring of a hierarchy of KPIs. There is a cascade effect of KPIs such that the focus of metrics for each procedure, standard, or sub-policy acts as an effective feed into the aims of the overall organizational security policy.

Figure 12: Hierarchical key performance indicators

Often, companies develop specific indicators to reflect the function of an individual process; for example, a firewall control may be audited for the number of attacks or illegal accesses to the organization’s network. If such attacks are not considered to be of high importance within the organizational security policy, the value of the KPI is limited. KPIs are not linked to the ability to generate a report—all good firewalls enable attacks or illegal accesses to be reported. They act as measures against the organizational security goals.

This hierarchy reflects the service management functions that the security management policies affect. As previously discussed, the interaction among security and organizational functions, such as Change, Incident, Service Level, and Security Risk Management, must be reflected in the KPIs established for each of these functions.

Making Key Performance Indicator Results Understandable

Once defined, effective KPIs can be used as performance management tools to give everyone in the organization a clear picture of what is important and how business functions are assessed. As part of the awareness program associated with security management, the KPIs must be published to show where the organization is succeeding and where there are shortcomings.

One of the problems with KPI result reports is that they are highly statistical and potentially difficult or dull to read. The Microsoft Operations and Technology Group, the internal operations and support division for Microsoft, has developed an IT Health Scorecard system that records IT information and sorts the statistics into an easy to understand scorecard system. The methodology is flexible across a number of IT disciplines, such as Incident Response and Change Management, and is applicable to Security Management.

For more information about the scorecard methodology, see the Measuring IT Health with the IT Scorecard technical case study at http://www.microsoft.com/technet/itsolutions/msit/busint/scoretcs.mspx.

Measuring Key Performance Indicators

Effective KPIs must be measurable. The most common way to gather these measurements is through security auditing, which includes:

• Security incidents.
• Security alerts.
• Security process compliance.

Security management is a high-level discipline and, as such, the use of low-level function analysis is not always appropriate for gathering performance statistics. The same hierarchical approach that is used for establishing KPIs can also be used to develop an aggregated set of metrics to measure policy performance. Security management establishes the framework for KPI reporting requirements, with other service functions specifying the tools and methods for delivering the statistical information.

Security management KPIs should ensure that security policies:

• Adhere to the security vision and mission.
• Address drivers for security within the organization.
• Mandate that all organizational roles and responsibilities for security are in place.
• Ensure that the security roles are appropriately managing security policies.
• Ensure that all policy documents are in place and that their mandates are being followed.
• Ensure that the awareness program is in place and achieving the goals of staff understanding and compliance.

Security Audit Results

Audits must measure compliance to established policies, standards, and procedures. Audits can take two forms: automated and manual. Both of these approaches quantify and represent data in metric form. Assessments can also be included under audits if they use some identified and quantifiable standard as a benchmark comparison.

Automated audits are usually performed by software that is specifically configured to validate that a control is in place and functioning properly. Network and host vulnerability scanners are frequently used to perform these measurements. Another KPI that can be used is to measure the number of high, medium, and low risk vulnerabilities in the IT environment. The KPI for this audit could be that no high vulnerabilities exist on any computers or devices in the enterprise network. There could be an additional requirement for this audit that the benchmark must be met on a recurring basis.

The manual audit process involves interviewing individuals and groups to determine whether they are following established processes and procedures. It is important to note that these two elements are derived from the policies and their related standards. An organization can gather this information using a variety of methods, such as direct observation, personnel interviews, and surveys. Like the automated scanner results, the answered questions are quantified by the defined metric.

User Surveys

Because security has an important and direct effect on staff, it is a good idea to conduct surveys of user and management views on both organizational security policy and specific or individual security issues. This qualitative analysis is not necessarily simple to develop into a chart, but it will expose motivational and productivity issues that are difficult to identify through quantitative analysis.

Appendices  

Appendix A: Sample Organizational Security Policy

This section describes in more detail the policy objectives used in an organization. Policy objectives are created in several forms. The examples provided here consist of objectives focused on policies, standards, and procedures.

Policies

Policies are written mandates, usually from the highest authority of an organization. They are usually phrased to allow for a certain amount of longevity. A policy must be created and maintained as a living document and be able to evolve along with changes in an information technology (IT) environment. The most common policy within an organization is the Information Security Policy. This single document contains all of the mandates about what must and must not be done in terms of security practices. The policies in this document are usually descriptive but can contain prescriptive policy items. The policy must be clear and not subject to interpretation.

For the purposes of this SMF, policy items detail how data information is accessed and protected.

Examples

The following examples are just a few of the mandates that can be found in a policy document:

• Removable media. Policy item directive: “Protect all removable media. Removable media and the data it contains can be lost or stolen. Take precautions to mitigate these vulnerabilities. It is also mandatory to back up all relevant data for possible restoration if lost or deleted. Before removable media or such devices may be retired or donated, they must be purged of all data.”

Note that this policy item does not mention floppy disks, CDs, DVDs, or anything specific like thumbnail drives. The policy is designed to apply to any current and future removable storage devices. It directs that countermeasures must be established rather than dictating how to establish them. It mandates protection. It also covers the end-of-life protection of data before media or devices malfunction or are donated. For example, the policy protects the organization from liability by preventing media or a device that contains material from being donated to a charity. The primary concept is ensuring data confidentiality stored on media devices.

• E-mail. Policy item directive: “E-mail containing sensitive agency data must be encrypted in compliance with agency Information Security standards when sent or received over an untrusted network.”

Policy item directive: “E-mail must not be stored on workstation systems for extended periods of time. Users of such systems are responsible for deleting old e-mail messages to comply with the agency E-mail Security Standard.”

There is more that can be mandated about the use of e-mail in a policy, but these two policy items for e-mail usage are clear and satisfy what the organization requires from e-mail users to protect their data. There is a reference to an information security standard. A standard has to be created to dictate how encryption is to be used as a benchmark throughout the agency. The longevity of e-mail stored on workstations is designed to reduce litigation and is usually dictated by legal counsel.

Standards

Unlike a policy, which is usually descriptive, a standard is more prescriptive in that it describes how security is to be practiced within the enterprise. The standards examples presented here have been carried down from the example policy items to demonstrate how they complement each other. Standards are sometimes combined or included within a policy.

Examples

The following examples are just a few of the standards that you might find within a standards document. They do not represent a complete excerpt of a standard. These examples are more prescriptive.

• Removable media. Standard item directive: “All removable media and removable devices that store data in excess of configuration standards for the organization must be marked with the highest level of information classification possible on the media or device during the shelf life of such devices. Markings must be distinctly noticeable apart from other markings that may be found on the media or device. These markings include: Secret, Restricted, Internal Use Only, and Public.”

Standard item directive: “Removable media and devices that contain Internal Use Only data must be stored in a locked container when unattended. Such media labeled with Restricted and Secret must be stored in a combination safe at all times when not in use.”

Standard item directive: “Removable media and devices that contain public data can be disposed of or recycled without security consideration. Internal Use Only items must be erased or otherwise purged. Restricted data must be erased and overwritten entirely seven times with seven random, 256-character recording patterns. Secret data storage devices and media must be destroyed when it reaches an expiration date set by the agency. A record of the destroyed devices or media must be recorded and witnessed by another cleared individual, and this record must be maintained on file for no less than five years from the time it was recorded by the Information Security Department.

• E-mail. Standard item directive: “When encryption must be used to protect e-mail data, it must be applied using the advanced encryption standard (AES) or DES3 if AES is not available for use with the targeted recipient or sender.” (Specific software tools can be referenced as required for this purpose.)

Standard item directive: “All e-mail users will delete e-mail stored on their workstations in their e-mail clients on the first day of each month.”

Procedures

Unlike either policies or standards, procedures are instructions for performing security related tasks. Each organization has its own way of presenting procedures for staff to follow. Procedures can be general, for specific tasks, or specific to a position or job, and they can include a set of instructions for performing security related procedures.

For the removable media and e-mail examples, it is a best practice to write procedures for each user audience as required. Good instructions include screen shots and images to assist in documenting the instructions for use on a desktop or computer-based reference tool. Brand names and software application names are included to make these instructions literal so that users can correctly handle each type of media or e-mail client. User guides often provide good examples of the level of instructional detail required for procedures in an organization; therefore, an example is not included here.

Appendix B: Resources

The following resource list offers guidance in the development and enhancement of security management. There are numerous regulations for government and private sectors of all sizes throughout the world. It is important to remember that regulations are usually legislative mandates and thus are locale-specific. The following list contains sample resources and is not comprehensive:

• British Standard 7799 (BS7799) / ISO 17799 (BS7799 part 1 adapted)—For BS7799 see http://www.bsi-global.com/index.xalter and for ISO/IEC 17799 Information Technology (code of practice for information security management), see http://www.iso.org/.
• Security best practices—Many sources, some specific to organizational needs. One U.S. example is the National Institute of Standards and Technology (NIST) at http://www.nist.gov/.
• The Health Insurance Portability and Accountability Act 1996 – HIPAA—Relates to U.S. health care and insurance industries; see http://www.hhs.gov/ocr/hipaa.
• The Gramm-Leach-Bliley Act – GLBA—Passed as "The Financial Modernization Act of 1999"—Relates to U.S. financial institutions; see http://www.ftc.gov/privacy/glbact.
• The Sarbanes-Oxley Act of 2002—Relates to U.S. corporate accountability (executive officers); see http://www.sec.gov/about/laws.shtml.
• The Federal Energy Regulatory Commission—U.S. power industry; see http://www.ferc.gov/.
• The Financial Service Authority (FSA)—Sets many standards and regulations for the UK financial service markets and businesses; see http://www.fsa.gov.uk/.
• The Center for Internet Security (CIS)—Provides numerous benchmarks for security configuration of servers and workstations; see http://www.cisecurity.org/.
• The SANS Institute—Provides security training, certification, the largest collection of security research documents and operates the Internet''s early warning system; see http://www.sans.org/.
• CERTCoordinationCenter—Major reporting center for Internet security problems, responses to security compromises, and trends in intruder activity, and solutions to security problems; see http://www.cert.org/.
• The Microsoft Security Web site—Provides information about security issues related to Microsoft products; see http://www.microsoft.com/security/default.mspx.
  The Security Risk Management Guide —This Microsoft guide describes a comprehensive, cost effective process that enables security risks to be managed and maintained at an acceptable level across the organization; see http://go.microsoft.com/fwlink/?linkid=30794

Appendix C: Security Monitoring and Security Auditing Tools

Monitoring Microsoft Windows Event Logs

• The Dump Event Log tool (Dumpel.exe). Dump Event Log is a simple command-line tool. Dumped event log files can be imported into a spreadsheet or database for further investigation if required. The tool can also filter for, or filter out, certain event types. Dumpel Event Log tool is included in the Windows 2000 Server Resource Kit, Supplement One Microsoft Press, ISBN: 0-7356-1279-X.
• The EventCombMT utility. EventCombMT can search the event logs of several different computers simultaneously for specific events. EventCombMT is included in the Microsoft Windows Server 2003 Resource Kit Tools, available from http://www.microsoft.com/windowsserver2003/techinfo/
  reskit/resourcekit.mspx.
• Microsoft Operations Manager (MOM) 2005. MOM offers a comprehensive set of tools that enable enterprises to analyze the built-in event reporting and performance monitoring data from servers and applications. MOM can collect, store, and report events and performance data to a single location using Intelligent Agents at remote computers, enabling an administrator to centrally review the collected information. MOM stores its information in a Microsoft SQL Server™ database and offers several methods to retrieve and analyze the archived data. Administrators can use the Operations Manager Administrator Console, Web Console, or Operations Manager Reporting to view, print, or publish the data.
  For more information on Microsoft Operations Manager 2005, see http://www.microsoft.com/mom/default.mspx.

Monitoring Windows Services

• The Services console. The Services Microsoft Management Console (MMC) enables administrators to monitor the services of the local computer or remote computers. It also gives administrators the ability to configure, pause, stop, start, and restart all installed services. Administrators can use the console to determine whether any services configured to start automatically are not currently started.
• The Command-line Service Controller (Netsvc.exe). Command-line Service Controller allows an administrator to remotely start, stop, pause, continue, and query the status of services from the command line. Command-line Service Controller is included in the Windows 2000 Server Resource Kit, Supplement One Microsoft Press, ISBN: 0-7356-1279-X.
• The Service Monitoring Tool (Svcmon.exe). The Service Monitoring Tool monitors services on local and remote computers for changes in state (starting or stopping). To detect these changes, the tool implements a polling system. When a monitored service stops or starts, the tool notifies administrators by sending an e-mail message. The Service Monitor Configuration Tool, which is used in conjunction with the Service Monitoring Tool, configures which servers to monitor, the polling intervals, and which services to monitor on each server. The Service Monitor Configuration Tool is included in the Windows 2000 Server Resource Kit, Supplement One Microsoft Press, ISBN: 0-7356-1279-X.

Monitoring Device Drivers

• The List Loaded Drivers tool (Drivers.exe). List Loaded Driver displays information such as the driver''s file name, the size of the driver on disk, and the date that the driver was linked. The link date identifies any newly-installed drivers. The List Loaded Drivers tool is included in the Windows 2000 Server Resource Kit, Supplement One Microsoft Press, ISBN: 0-7356-1279-X.

Security Auditing

• Microsoft Baseline Security Analyzer (MBSA). MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows® systems. MBSA will scan for common system misconfigurations on:
  • Microsoft Windows NT® version 4.0, Windows 2000, Windows XP, and Microsoft Windows Server™ 2003
  • Internet Information Server (IIS), SQL Server, Microsoft Internet Explorer, and Microsoft Office

MBSA will also scan for missing security updates (service packs and patches) for the following products:

• Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003
• IIS, SQL Server, Internet Explorer, Office, Microsoft Exchange Server, Microsoft Windows Media® Player, Microsoft Data Access Components, MSXML, Microsoft Virtual Machine, Microsoft Commerce Server, Microsoft Content Management Server, Microsoft BizTalk® Server, and Microsoft Host Integration Server

For more information on MBSA, see http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Read Service Management Functions: Security Management (Part 1)