Demonstrable good governance in this ever-changing business landscape – business grows, people change and technology advances – is one of the key drivers towards increased awareness and activity around managing information risk. Piecemeal activities inevitably fail. Sustainable information security requires a holistic approach, based on a practical information security management framework.
(Initiate), in this series on 'A framework for sustainable security management', laid the foundation for sustainable security management. Key objectives included: identification of stakeholders, establishment of senior management commitment to information security, establishment of a security driving force and establishment of individual accountabilities for all information and systems. This article (Part 3 in the series) focuses on the 'Assess' phase of the Information Security Management framework in Figure 1. This phase is designed to enable an organisation to assess the sum total of all security efforts and is the 'acid test' of security arrangements to date.
Figure 1. The Deloitte & Touche information security management framework
Key objectives for the Assess phase are:
* Identifying systems at high risk or critical to business operations and establishing the value of information to the organisation and its stakeholders.
* Assessing organisational culture in relation to information security.
* Assessing maturity of information security process controls in the organisation.
* Determining susceptibility of the organisation's business systems' to information security threats.
A benefit of achieving these objectives is an understanding of an organisation's risk appetite, based on decisions about the level of effort required. Another benefit is a realistic plan for managing the reduction of risk by closing security gaps, maturing processes and addressing behaviour.
Critical success factors for this phase are:
* The ability to identify and obtain access to information owners who understand the criticality of key systems.
* The culture profile audience is representative of the organisation and attend the workshops - user and management groups should be kept separate.
* Controls identified by the organisation are accurate and current maturity assessments are realistic.
* Permission can be obtained to conduct technical vulnerability assessments including administrative access to systems for host diagnostic reviews.
Tiaan van Schalkwyk, manager, Deloitte & Touche Security Services Goup
Measures to protect the information of critical business processes should be commensurate with the value of the information. A criticality assessment establishes the value of information in terms of the impact of a loss of confidentiality, integrity or availability on an organisation's information systems. Impact should be measured in terms of financial, litigious, regulatory, reputation, organisational growth, management control and performance implications.
Criticality information allows the organisation to decide where the focus of all information security activities is needed most. Enabling an organisation to make the most of limited resources (budget and capacity). As an additional benefit - an organisation is forced to inventory its information assets and identify responsible information owners.
Based on criticality assessments, document recommendations of where security effort is to be focused and the order in which vulnerability, controls and corporate culture assessments should be conducted.
Technical vulnerability assessments identify areas of the organisation's environment that need to be addressed first and where the greatest risks to the successful implementation of an information security management system lie. Additionally, technical vulnerability assessments serve as a 'reality check', highlighting the results of all of the organisation's security efforts to date - what works well and what requires improvement, whether procedurally or administratively.
Assessments should be designed to address known security holes quickly. Determine vulnerability from within the organisation, from outside the organisation and from third parties (strategic business partners, suppliers, customers and clients) connecting to the organisation.
Based on the assessment, document, according to the criticality of the relevant systems, clear and concise recommendations outlining prioritised steps to address vulnerabilities.
Determining whether controls put in place by management, to manage risk to information and information resources, are appropriate, conduct a controls assessment.
* Assess controls for relevance, adequacy and resilience in meeting business objectives for security.
* Design controls assessments based on best practice (CoBIT, ISF Standard of Good Practice and ISO 17799).
* Document recommendations outlining strengthening of controls, prioritised according to the criticality of business process.
This enables the security team to focus on long-term sustainability of the security programme through addressing process control weaknesses.
Profiling corporate culture
An organisation's personnel are the most cost effective countermeasure to security threats. The values (what is important) and beliefs (how things work) of the people in the organisation, in the context of information security, interact with the organisation's systems and procedures to influence behaviour (the way we do things around here). A holistic approach to ensuring a security positive environment requires an organisation to understand and take corrective steps (awareness programmes, policies and procedures) to influence human behaviour.
Employ surveys and questionnaires to reveal the starting level of awareness of security issues (culture profile) and the behavioural change that is required to meet business needs for security. Answers to the following basic questions will help determine what is required to enhance the corporate climate:
* Would you be able to recognise bad security practices?
* If you recognise a bad security practice, would you be prepared to act?
* If you are willing to act, would you know what to do?
Recommendations for corrective steps, prioritised according to the criticality of the information affected, should outline improvements in policy objectives, awareness and education programmes and policy enforcement and monitoring mechanisms. Once again this enables the security team to focus on the long-term sustainability of the security programme.
The way forward
The Transform phase, Part 4
, in this series will focus on the steps towards transforming an organisation from its current state to a desired state of information security. Based on the criticality and level of effort deemed adequate to address the risk.
Tiaan van Schalkwyk, manager, Security Services Group, Deloitte & Touche, Tel: 011 806 5000, Fax: 011 806 5202, email@example.com