• No results found

Security Strategy Development

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Strategy Development"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Security Strategy Development

Building an Information Security Management Program

(2)

Information Security Management

A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall

information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce

inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations.

In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique

requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organization’s overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program.

Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the framework of a specific strategic objective. In the case of information security, the strategic objective is the satisfaction of protection requirements for an organization’s information assets.

Strategic Planning Process

Assessing

the Need Designing the Strategy Defining the Roadmap Document the Plan

Laying the Groundwork

Laying the Groundwork

The first step in building a security strategy is the development of a work plan for the planning process itself. This step includes:

Formulation of the planning team

Identification of specific issues or choices that the planning process should address Identification of information that must be collected to help make sound decisions

The planning team should be carefully selected. These individuals should represent various departments within the organization that will be directly involved in the execution of the planned strategy. The participants should have a commanding knowledge of their department’s

operations and should have the authority to make decisions regarding the strategy and their department’s involvement in the execution of that strategy.

The planning team should also include individuals possessing expertise in information security to serve as subject matter experts. These individuals should provide input on best practices in information security and insight into the security practices of other organizations based upon their experience.

The planning session(s) are most successful when utilizing a neutral third party as a meeting facilitator. The facilitator should guide conversation, according to the work plan, and keep the team on schedule and on topic. The facilitator helps the team develop the security approach by

(3)

listening to the opinions of the group, translating those opinions into ideas and gaining consensus on decisions. As a neutral third party participant, the facilitator can ensure that the minority voice is heard and aid in the decision-making process.

Assessing the Need for Security

In developing the security strategy, an organization should first determine their business requirements for security and how security fits into the overall goals of the organization. The following should be taken into consideration:

Critical business requirements Security initiative mission

Current state/Desired state of security

The team should begin by gaining consensus on the key business processes within the organization for which the confidentiality, integrity and availability of the computer systems supporting those processes are most critical.

Next, the group should evaluate IT initiatives currently underway to determine the driving forces behind this security initiative. This should lead to the definition of the security mission for this organization. The determination of this mission will provide the parameters for building the plan for security.

It is likely that the organization has already implemented security processes, procedures and technology to manage security risk. The team should review the current safeguards already in place and evaluate the effectiveness of these solutions. This exercise is most effective when framed around best practice standards for information security. For example, ISO 17799 contains a set of best practice security controls organized within the following major areas:

Information security policy Security organization

Assets classification and control Personnel security

Physical and Environmental Security Computer and System Management

System Access Control (internal and across open networks) Systems Development and Maintenance

Business Continuity Planning Compliance

At the end of this phase, the team should be able to determine the requirements for their security management program.

Designing a Security Strategy

Once the team has a clear understanding of the desired outcome for information security, the approach for how to reach that outcome must be developed. The team will work during this stage of the planning process to determine the approach necessary to implement general security controls that will meet their requirements. The following topics should be addressed:

Strategy Objectives and Measurements Assumptions and Constraints

(4)

Clear objectives for developing and implementing a security strategy should be defined, and the achievement of those objectives should be measurable. For example, an organization that has had problems with the spread of computer viruses amongst their user community may determine that one of its objectives is to reduce the number of virus incidents to some acceptable number per year. This organization will likely implement a combination of anti-virus technology and procedures as part of its security implementation plan, and they will keep records of each virus incident to measure the satisfaction of this objective.

In order to select security controls and identify tasks necessary to implement the defined approach, certain assumptions need to be made. These assumptions should be acknowledged prior to defining the approach. The purpose of defining the constraints is to clearly understand the boundaries in which the strategy must be formulated.

The strategic planning team must determine how they will go about satisfying each requirement for their security management program. During this stage of the planning process, the team will outline the strategy’s approach. The security strategy approach will likely consider the following areas:

Asset and data valuation

Vulnerability and threat assessment/management Legal and regulatory requirements

Security policy and standards development Technology implementation

Secure network design Procedural development Staffing and Training

Ongoing security management Defining the Security Roadmap

Now that the team has developed their strategic approach to building an information security management program, a high-level project plan should be developed which will outline the steps necessary to put the strategy into action.

This plan will provide the team with a “roadmap” for implementing their security strategy. In developing this action plan, the group should consider the following:

Roles and responsibilities Required tasks and task owners Timelines and milestones

Documentation and Management of the Strategic Plan

The events and results from each phase of the planning process should be documented and should reflect the consensus of the team. This document should outline the strategic plan in terms of:

Security Mission

Information Security Management Program Requirements Strategy Objectives, Measurements and Approach Assumptions and Constraints

Roles and Responsibilities Program Risks

Project Plan or Roadmap

(5)

Security Implementation

This strategic planning process should provide a high-level plan for implementing a

comprehensive security program. The resulting “roadmap” to security will provide the framework for developing detailed project plans for the execution of specific security initiatives that support the defined security strategy.

(6)

About Internet Security Systems (ISS)

Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) is the leading global provider of security management solutions for the Internet. ISS protects critical information and network resources from attack and misuse. By combining best of breed software products, market-leading managed security services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security provider for thousands of customers around the world.

Copyright © 2001, Internet Security Systems, Inc. All rights reserved worldwide.

Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System Scanner, Database Scanner, Online Scanner, ActiveAlert, X-Press Update, FlexCheck, SecureLogic, SecurePartner, SecureU, Secure Steps and RealSecure are trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc. Other trademarks and trade names mentioned are marks and names of their owners as indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice.

References

Download now ( PDF - 6 Page - 157.13 KB )

Related documents

Request for Proposals. Security Advisory Services for the International Executive Service Corps

The Offeror, through the Security Advisor, will provide strategic management planning and support to overall IESC security activities, provide tools and training

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry

• Managing Security and Privacy • Defining IT Governance and Strategy • Management and Use of Data Assets • Managing Application Development • Deploying and

Laser processing of non-linear incline cutting

4.2 Experimental Results for Laser Process Kerf Width Non-Linear 48 Incline Cutting and Reading Measured Specified Three of. Bottom Area X~, X 2, And X 3 at Bevel

Evaluating Motivational Factors Involved at Different Stages in an IS Outsourcing Decision Process

Request for information and invitation of tender Tender invitation Evaluation of tenders Due diligence and agreement proposals Negotiation Factors seen as motivational

The Security Organization p. 1 Anecdote p. 2. Introduction

The Security Strategy and the Security Planning Process

CITY OF PAWTUCKET REQUEST FOR PROPOSALS

CITY OF PAWTUCKET’S PURCHASING OFFICE GENERAL CONDITIONS OF PURCHASE All City of Pawtucket purchase orders, contracts, solicitations, delivery orders and service requests shall

Permeable Interlocking Concrete Pavements

9 Design Considerations for Pedestrians and Disabled Persons ...10 Infiltration Rates of Permeable Interlocking Concrete Pavement Systems ...10 Site Design Data ...11

PCMCOM~4

A) primordial prevention C) secondary prevention B) primary prevention D) tertiary prevention _____ Which of the Following National Health Insurance Program members are NOT.