As I discussed in my previous post, the only way a company can achieve success in the long-term is to implement an efficient IT Security Management framework.
Once your IT Security Management Framework (which has been modeled on an established and industry accepted standard, such as CoBIT, COSO, ITIL, and/or ISO standards) has been implemented, you need to think about the everyday application of your security practices. This is most effectively done via the use of Operational Security Management.
Let’s define this concept:
- Operational IT Security
Management is the regular testing of the implemented IT Security Processes to ensure that IT Systems meet security requirements. These requirements must be aligned with the business requirements and they have to follow an adequate risk management approach. This includes gap analysis/closure that follows the IT Risk & Security lifecycle model. Compliance must be assured for each and every system within the system landscape. From our side we developed and established a Lifecycle that helped us in implementing a solid Operational IT Security Management and it looks like this:
In this picture, you can see how the steps of Operational IT Security Management work:
The first step is to inventory all systems operated and maintained by your organization. System changes need to be updated in the IT Inventory immediately and a full IT Inventory review must be performed at least once a year – I would recommend more. Once performed, all new systems must be assigned to a system category according to the criticality of the data / information stored / processed within the system. The business owner, together with the IT system owner has to define the required level of protection regarding:
- Availability and backup requirements
- Disaster recovery requirements: Business impact and maximum allowed down-time
Classification is a requirement for each IT system – this is determined via the classification of the information which is stored or managed within the IT system. The chosen IT security measures (based on the system classification) must be aligned with the business requirements. This includes mapping to the relevant assets / systems and including a corresponding risk. The operational risk resulting from the final classification, as well as the relevant mapping to mitigating controls, must be evaluated.
Now comes the critical part – Gap Analysis and Risk Assessment. It is extremely important to take a long, hard look at the currently implemented security measurements and then check those against the current security requirements. Identified gaps must be documented and presented to the corresponding LoB Management. Once they have had the opportunity to review this information, they must provide mitigation suggestions that should result in Security related projects or accept the risk as it exists.
Finally, once all of this has been done, you have to come up with an implementation plan to cover the missing/inadequate security measures that you have uncovered. This is done according to the criticality of the related risks to be mitigated. A time frame for this implementation must be agreed upon and executed within that time frame to assure that all your bases are covered.
Last but not least you have to ensure via an effective monitoring approach that the implemented IT Security measures are working appropriate and efficient so that the related risk is really mitigated in the way you wanted.
In my next post, I will go over another element of Security Management: Tactical IT Security Management.
Until next time!