A three-step process will let you bridge the divide between your current security regime and a more robust system
Information security is not just an IT issue. Organisations rely on technology for business operations more than ever before. At the same time, internet threats are appearing with unprecedented speed and complexity, putting business assets at increased risk. What is more, government and industry regulations are challenging businesses to meet a range of very strict requirements for information security.
It is all about confidentiality, integrity and availability. Programs must protect sensitive information from unauthorised disclosure or access. The integrity of information must not be compromised. And it must only be accessible by authorised individuals whenever, wherever and however they need it.
As a result, many businesses are devoting more of their time and resources to developing a formal, structured information security programme that helps to ensure the security of business assets and operations.
Developing and maintaining an information security programme is a three-step process that is repeated and updated over time. The steps are: measuring an existing programme; identifying and implementing necessary improvements; and managing the ongoing process.
The first step, measuring where you are, can be completed with the input of key managers who articulate their understanding of the company's strategic objectives, the current business environment and expected industry changes and tactical issues, such as which security issues need immediate action and the effect these issues have on the business.
By linking strategic business goals with information security needs and identifying unique IT security challenges and opportunities, a framework is established.
In the next phase the gap between reality and desirability becomes apparent, and a roadmap is developed to close that gap.
Assessing the information security architecture is an opportunity to ask - and answer -tough questions. Does the organisation have a formal strategy or plan? If so, how well has it been working? Is its effectiveness even measurable? Has it been independently reviewed?
Although documenting the existing environment does not need to be detailed and exhaustive, it should provide a snapshot of the state of the programme and address the core components of people, processes and technology.
One of the most practical ways to gauge effectiveness is to compare your programme with industry best practices. Scorecards can make it easier to grade programmes in key areas.
Once the existing programme has been assessed, the organisation must take a broad and unconstrained look at what an effective information security environment would look like. That might be a formal organisation responsible for information security, or the provision of ongoing company-wide security awareness training.
The resulting security gap highlights the difference between current and future information security architectures. In analysing this gap, you should separate strategic activities that ensure long-term success from more pressing tactical issues requiring immediate attention. The gaps are then categorised into high, medium and low priorities to make it easier to ascertain the relative importance of each.
This gap analysis provides the basis for the final step. With the results of the gap analysis in hand, an information security roadmap can be developed. To ease investment decisions without sacrificing needed security, the roadmap can address future funding issues using a return on investment approach. This could include both one-off and ongoing costs or even compare the cost of security against the cost of a security breach.
When you have determined the most appropriate investment level, you can set out strategic initiatives and tactical plans, along with a timeframe for meeting those objectives. For best results, the roadmap should summarise programme activities for the next two years. For example:
- A strategic people-related initiative might be to create and staff a separate information security organisation within a year. An associated tactical plan might be to clarify the roles and responsibilities for such an organisation in the next two months.
- A strategic process-related initiative might be to publish information security policies on the corporate intranet within nine months. An associated tactical plan might be to develop a consistent format for those policies within the next three months.
- A strategic technology-related initiative might be to have an independent third-party audit of the programme within a year. An associated tactical plan might be to document changes to the computing infrastructure in the next 90 days.
With the roadmap complete, you can develop a much more detailed implementation plan that logs progress toward each strategic initiative and its associated tactical plan. This project plan is also a valuable tool for reporting to management on the steady improvement in information security efforts.
Just as the security lifecycle is a continuous process of measuring, improving and managing, so an information security programme is a dynamic plan that must be regularly reviewed and revised. Constant corrections are needed as new business challenges arise and information security must adapt. In fact, the programme implementation process itself typically changes how a company conducts business.
Achieving a completely secure enterprise is not a realistic goal. Security threats are simply too pervasive and unpredictable and enterprise networks too complex to be able to guarantee the confidentiality, integrity and availability of all systems and information all the time. But by continuously implementing incremental security measures that ultimately reduce risk, closing the security gap can become a business reality.
Mark Egan is CIO and vice president of IT at Symantec
Symantec can be found at InfoSecurity at stands 530/581