Part 1 - Overview
In Part 1
of the article on A Framework for Sustainable Security Management, emphasis was placed on the holistic approach of managing information security by integrating the relevant people, processes and information technology to reach the organisation's information security goals.
Laying down the foundation for security management
In Part 2 of the series on 'A framework for sustainable security management', we will discuss the Initiate phase in more detail focusing on the following areas:
* Obtaining active board and senior management oversight and direction by documenting a statement of management intent.
* Establishing a security driving force by establishing an InfoSec function.
* Establishing individual accountability by identifying system owners and custodians and documenting roles and responsibilities for security.
* Identifying stakeholders who will contribute to the security programme through a forum established to reflect business, IT and user interests. (Note: To be effective, the forum should include members with a background in security and the technical aspects of IT systems, as well as representatives of the providers and users of IT systems.)
The Initiate phase of the information security framework embraces some of the most important pre-requisites for the organisation to reach its information security goals. Critical success factors related to the Initiate phase include:
* Understanding the global information security needs of the organisation.
* Identification of stakeholders who will support and demonstrate commitment by contributing through the information security forum and therefore participate in security related decisions in the organisation.
* Stakeholders to be a fair representation of the organisation to ensure that all who are affected provide their input and therefore their buy-in.
* An information security team with clearly defined responsibilities, a common goal and sufficient resources.
Active board and senior management oversight and direction
For effective information security it is vital that all levels of management support the efforts of the information security team. Management commitment should be captured and utilised when the organisation's security goals, responsibilities and non-compliance regulations are communicated for user acceptance and signoff. This document then forms part of the mandate for all other security initiatives to follow. The key messages of the Statement of Intent document is illustrated in Figure 2.
Establishment of a security driving force
Objective: To manage information security within an organisation including control and coordination of training and awareness initiatives.
The cornerstone of a successful information security management initiative is the establishment of an information security function with clearly defined roles and responsibilities that are understood and endorsed by senior management. A specialist information security function should be established, responsible for:
* Information security policy creation and maintenance.
* Risk assessment and analysis.
* Vulnerability exercises.
* Information security planning and strategy.
* Production and maintenance of IT security standards.
* IT security operations.
* Product assessment, selection and implementation.
* IT security education, training, awareness and advice.
* Future threat identifications.
Establishing individual accountability
Information security is not just the Information Security Function's responsibility, it starts with each individual user. It is everyone's responsibility to be aware of the security issues related to the daily use of the organisation's computers. This contributes to the overall process of safeguarding the organisation's business systems. This justifies the need for identifying the key role players for addressing information security and documenting their individual responsibilities.
Detailed roles and responsibilities should be documented for:
Users are workers who have been granted access to the organisation's information and information systems in order to perform their jobs. Users also include contractors, third parties, part-time and full-time employees. Users need to be familiar with and adhere to the organisation's information security decisions as documented in the policies and standards.
Owners are employees who have been assigned the responsibility to protect the organisation's business information (typically business managers). An owner's responsibility may not be delegated to external service providers. Owners do not legally own the information in question; they instead make decisions on behalf of the organisation, which legally owns the information.
The group is charged with the secure planning, specification, design, development, modification, testing and operation of shared information systems and related communications networks, to ensure that the organisation remains well positioned to capitalise on future industry developments (typically IT administrators).
The way forward
In Part 3
of the series on 'A framework for sustainable security management' we will discuss the Assess phase where the focus will be on determining the extent of all security efforts to date.