Trends in Information Security at the Church

[McDanielCA]

Trends in Information Security at the Church was originally posted on the main page of LDS Tech. It was written by Mark Sanderson.

--------------------------------------------------------

With a chief information security officer and key roles established for policy and training, engineering and operations, risk assessment, and security testing and compliance, we are ready to execute on opportunities, challenges, and expansion that await the Church.


Leadership and Governance

Which is more vital to security in an organization: the right people or the right conceptual-framework? The Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book, on computer security for the Department of Defense was first published in 1983 by a team of top scientists at the National Security Agency (NSA). Its groundbreaking information was considered useful for almost two decades, a singular accomplishment in the realm of technology. While the right people and the right criteria are both important, leadership and the staffing of key roles have been vital to beginning a new age of information security at the Church. While working at NSA, the INFOSEC chief scientist mentioned to me that no matter how great or important any produced criteria were, the criteria would only be sustainable as long as the right people were attracted, retained, and cultivated by the organization. At the Church, we are now beginning to adopt recognized standards and implement a governance framework that increases accountability and improves results. Leadership and governance is the cornerstone of our information security.


Standardization and Policy

With information security leadership established, the next priority was to align the Church with industry standards. The central policy adopted by the Church is ISO 27002, part of the ISO 27000 framework by the International Organization for Standardization (ISO). ISO 27002 is a mature information security standard that helps the Church meet its privacy, finance, and best-practice IT requirements. Similarly, in his wisdom, constitutional framer John Adams advocated “a government of laws, and not of men” so the government and its framework would be stable and enduring. Our main purposes for uniting around recognized standards are to benefit from proven and maintained bodies of work, be effective in managing compliance activities, and achieve a culture of consistent, quality, well-managed results. At the Church, we harmonize the admonition to receive revelation for our given roles with use of appropriate and demonstrated standards as benchmarks and guideposts. Adopting recognized standards gives us a procedural-framework of laws, and enables the Church to transition smoothly through changes in personnel and efficiently adapt to changes in privacy and security regulations.


Risk Management and Compliance

Part of information security is relatively discretionary, and part is mandatory. For the discretionary part of information security, we use a well-established certification and accreditation risk management approach, in which the stakeholders responsible for information and operations consider facts on threats, vulnerabilities, existing safeguards, and exposures provided by a risk (certification) team, along with the team’s analysis and recommendations. The process stakeholders (acting themselves as accreditors or with the help of technology advisors) then decide on a course of action. This process enables the information/process owners to make informed decisions about where and how much to invest in security, and strengthens accountability with data and process owners.

The mandatory part of information security has to do with external and internal regulation, or compliance requirements. Even though the Church does not have some of the regulations that publicly-traded companies have, like Sarbanes-Oxley, there are several external privacy and finance regulations for the chief information security officer to coordinate throughout the “business units” of the Church’s legal entities. The Church’s need to comply with Payment Card Industry (PCI) contractual obligation in recent years was a motivating factor in strengthening information security leadership and governance for the Church. Internal regulation at the Church is mostly a combination of internal standardization, assessment, audit, and the desire of IT leaders to establish and maintain cultural values for quality and best practice.


Cultural Values

Our ICS Department leadership has set a number of cultural-value goals around being a trusted partner. In addition to specific goals related to quality and responsiveness, the notion of a trusted partner itself is significant. We’re helping dozens of global, diverse business units—from Distribution retail stores to LDS Philanthropies call centers, from missionary medical advisory services to Perpetual Education loans, and from Food Services to Deseret Industries retail stores—meet their external and internal regulation, risk management, and best-practice information security requirements. That’s a lot of responsibility. It demands a world-class response in terms of information security leadership and governance, standardization and policy, risk assessment and compliance, and security operations and engineering. Our cultural values help remind us of the need to meet and exceed our customer’s expectations.

Mark Sanderson is a senior compliance engineer for the Church.

[cnsieler-p40]

This is a great article with some great points. However, having been a part of an effort to try to put standards in place on an organization that has been in place awhile is a hard thing to do. The one comment I would make is that you have to have a great communication and training plan. You have to have buy in from the leadership of the different silos. Security has to bring processes that add value to the organization. If no value is added it will be hard to get people to listen. You must bring something that will make sense and makes their job easier. Also the orange book is great but it is very outdated. There are new and better security frameworks out there. ITIL for one, version 3, is a great place to start. But to repeat my point, no framework will be successful without a good training, communication and implementation plan.

[kennethjorgensen]

This is a great article with some great points. However, having been a part of an effort to try to put standards in place on an organization that has been in place awhile is a hard thing to do. The one comment I would make is that you have to have a great communication and training plan. You have to have buy in from the leadership of the different silos. Security has to bring processes that add value to the organization. If no value is added it will be hard to get people to listen. You must bring something that will make sense and makes their job easier. Also the orange book is great but it is very outdated. There are new and better security frameworks out there. ITIL for one, version 3, is a great place to start. But to repeat my point, no framework will be successful without a good training, communication and implementation plan.

I too agree it is a great article.

I totally agree with the main points here. The management at all levels needs to understand it and be "onboard" first and then training, communication and practical implementation are vital steps in order to succeed. Once understood by all people then it really can make a difference.