Improving security incident management in multinational IT service providers

Abstract

Expectations on today's IT security management have gone beyond plain physical security. Security management is increasingly under pressure from three factors: 1.) attacks on IT systems have evolved into multi-staged processes 2.) legal regulations like the Sarbanes Oxley (SOX) act call for standardized security audits 3.) Management wants to regain control over security business processes and costs. Improving IT security management means to tackle all of the three factors.<br />To deal with evolved attacks a new generation of event based intrusion detection systems is needed. On the legislative side, improvements come from the implementation of industry standard frameworks which facilitate compliance audits. Security business process can be improved by reengineering them to take advantage of the 1) advanced intrusion detection tools 2) standard frameworks for legal compliance and 3.) Through intelligent incident management software tools.<br />This work studies the IT security business processes at a multinational IT service provider and evaluates their compliance with the industry standard frameworks COBIT and ITIL. The study uses a survey to document the actual work practices at the IT service provider and comparable international corporations. Previously informal process descriptions are formalized and metrics are established to document the current security management baseline. Proposals for performance improvements are developed by analyzing the formalized processes, stakeholder's goals and comparing the actual process status with these goals. Performance is measured in terms of a) execution time and b) execution costs for each process. Stakeholder requirements are gathered via structured interviews with company representatives, CIOs and network security staff.<br />The result of the analysis is used to configure and deploy a next-generation intrusion detection and incident management tool - the Cisco built "monitoring analysis and response system" (MARS). Cisco MARS uses event correlation to identify multi-stage security incidents and is able to trigger incident handling processes. The MARS configuration is adapted to fulfil stakeholder requirements as well as comply with legal regulations of the SOX act.<br />IT security management business processes are reviewed and adapted to take advantage of the new incident management system. Process reengineering is used to further align the processes with the COBIT and ITIL frameworks and facilitate independent security audits.<br />All analysis and work results are compiled into a best-practice integration plan for companies facing similar challenges as the assessed IT service provider. A final evaluation compares 1.) the best-practice plan with the initial stakeholder requirements and 2.) the company's previous baseline of incident handling processes with the improved version.