Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: July 2002 (es)

A framework for sustainable security management: Part 1

July 2002

The challenge - "... it is tempting for new security teams to become immersed in technology quests, searching for the elusive enterprise-wide technical solution. Indeed, we expect that by YE02 up to 30% of these newly founded teams will be considered failures by their corporate masters due to their inability to implement effective policies, processes, and behaviours." - Tom Scholtz, META Group
Business leaders, commentators, governments, investors, regulators, auditors and other influential bodies are increasingly expecting boards of directors and managers to manage risk systematically. Doing so, a complex set of tasks, involves:
* Identifying the different types of risk that affect the enterprise.

* Evaluating their relative significance.

* Initiating actions designed to keep risks within acceptable levels.
Given the modern organisation's increasing dependence on IT-based information systems, information risk is emerging as a key risk which should be managed in its own right. Management factors include: the scale of investment now needed to keep up with developments in the use of IT; the ever-growing vulnerability of systems to disruption and misuse; and the emergence of new, IT-based methods of doing business.
However, managing information risk (and information security) on a sustainable basis is a complex process. It involves the evaluation of people, process and technology weaknesses in relation to the impact that unauthorised disclosure of information, data corruption or falsification, or the inability to process transactions on time, will have on the business. This process is iterative as new vulnerabilities are discovered (as new systems are deployed, activities are outsourced, people changed) and the value and nature of the assets to be protected changes in line with business growth (new ventures and strategies).
Kris Budnik, partner, Deloitte & Touche Information Security Services
Kris Budnik, partner, Deloitte & Touche Information Security Services
The approach
"Many information security systems develop piecemeal, often as a result of problems that have occurred already. Without an holistic view of information security management, the question is not 'if', but 'when' will it fail?" - John Gillingham, British Standards Institute
Good security can only be achieved when an holistic approach to security management is adopted and when the multidimensional aspect of information security is addressed and incorporated into the approach (see Figure 1). It is important to realise that security management is not achievable through a single solution, 100% security is not the goal, and that good security takes time to evolve.
Figure 1. The Deloitte & Touche Information Security Management Framework
Figure 1. The Deloitte & Touche Information Security Management Framework
Critical success factors to the implementation of an effective information security management system include:
* An understanding of the organisation's global needs.

* An understanding of the needs for information security within the organisation.

* A demonstration of the commitment to information security.

* A willingness to address security needs.

* A willingness to allocate resources to security.

* Awareness, at the highest level, of what information security means and consists of (scope and extent).
The response
The best ammunition for knocking out important security issues is not a 'silver bullet', but rather the implementation of a comprehensive programme of best practices. The secure organisation's attitude is one that regards prudent information security policies and practices as 'vital parts of the way we do business'. - Ken Cutler, managing director of the Information Security Institute.
The trick to effective information security management lies in being able to co-ordinate the myriad of seemingly unrelated activities into a comprehensive programme that takes into consideration your organisation's unique security posture.
Outlined below is a generic framework designed to address your information security management needs in a consistent and holistic way by:
* Ensuring that security management roles and responsibilities are clear (establishing accountability).

* Establishing a balanced approach to information security (suitable levels of security on a sustainable basis).

* Closing known security gaps quickly.

* Fostering an information security aware corporate culture.

* Ensuring that governance processes exist to support organisational security goals.

* Monitoring performance and providing management assurance that security goals are realised.
The phases defined in the framework are outlined below.
In this phase the foundation for security management is set by defining roles and responsibilities for security in your organisation. Key objectives include:
* The identification of stakeholders to ensure that all security tasks are accomplished and that they are performed in an efficient way.

* The establishment of senior management's commitment to information security by communicating the organisation's security objectives and responsibilities.

* The establishment of a security driving force to actively promote good practice in information security and ensure that it is applied effectively across the enterprise.

* The establishment of individual accountability for all information and systems within the enterprise and to give responsible individuals a vested interest in safeguarding them.
No management programme starts in a vacuum. Existing initiatives and good security practices most likely exist within your organisation. In this phase, the sum-total of all your security efforts to date is determined. This enables you to focus efforts where they are needed most in terms of closing security gaps, maturing internal processes or addressing cultural weaknesses. Key objectives include:
* The identification of those systems that are at high risk or critical to business operations.

* An assessment of the organisational culture towards Information Security (awareness, commitment and capability).

* An assessment of the maturity of information security process controls in the organisation.

* Determination of the organisation's business systems' susceptibility to information security threats (whether internal or external).
This phase is designed to transform the security status of your organisation from current to desired state. Key objectives include:
* The establishment or revision (if necessary) of organisational awareness and education programmes so that every member of staff understands the importance of information security, the levels of information security appropriate to the organisation and their individual security responsibilities, and so that they act accordingly.

* The identification of specific issues of concern to the organisation in terms of security, and the development of organisational issue-specific policies which will set the direction for lower level decisions.

* The introduction or improvement of relevant security process controls, with the view that increased process maturity and capability is synonymous with increased information risk management and efficiency.

* The documentation of key performance indicators with which to measure the performance of the security programme and to identify opportunities for improvement.

* Addressing technical vulnerabilities so as to minimise exposures to security threats.

* The documentation or revision of security standards to reflect your organisation's security objectives and ensure a consistent approach to securing business system infrastructure, platforms, databases and applications.
To ensure a sustainable level of information security in your organisation, the effectiveness of implemented standards and controls must be closely monitored. This focus of this phase is to establish suitable measurement and monitoring mechanisms to enable reporting on the status of security within the organisation and consequently provide senior management with assurance that their responsibilities with respect to information risk management have been discharged with due care.
The way forward
"Information Security is definitely a journey, not a destination - there are always new challenges to meet." - chief information security officer at a major financial services corporation
Over the next four issues, we will take you through a more detailed discussion on the framework for information security management, outlining objectives for each element of the four phases, some examples of how to reach these objectives and sharing lessons learned.

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues