To give you a bigger picture about what has to be considered, I want to discuss what you should have in mind in defining an IT Security Management process.
In combination with research from external sources, we have seen that the vast majority of security within a company is only incident management – reacting directly to problems as they occur. The only way a company can achieve success in the long-term is to implement an effective IT Security Management framework.
Good Security Management creates a basis which has been modeled on an established and industry accepted framework. Examples of this would be CoBIT, COSO, ITIL, and ISO standards – we chose ISO in combination with requirements set forth by BSI.
The framework should provide a complete overview of security in regards to the organization. The following items should be addressed within this framework:
- The overall company strategy
- The security
demands/requirements of the company
- Control mapping of available
assets against risks
Initially, you should look closely at the overall company strategy to gain a better understanding of what the organizations needs are in regards to security. Having this understanding helps you to create a “security culture” that is present and accepted at all levels once IT Security Management has been implemented.
When you want to implement Security Management within your organization, it is essential that you take into consideration the needs of the organization and balance those against the requirements of the security framework that you have chosen. One cannot be more than the other – should you force the organization to implement unnecessary or overly rigid security practices, they will not be accepted by the employees. On the other hand, if you do not meet the requirements set forth by the framework you will have difficulty providing adequate coverage. This is especially critical should you plan on obtaining an information security/business continuity certification. You should always approach implementation with maintaining “CIA” in mind – the Confidentiality, Integrity and Availability of data.
Finally, the key to having a successful security framework is to map your available assets against operational risk and both of these should be mapped against the control mapping for the organization. This lifecycle graphic shows how all of these elements come together to provide the best possible coverage.
In my next post, I will go over the other elements of Security Management: Tactical and Operational Security Management.
Until next time!