The requirements for IT departments are no longer just to ensure that the business can access email and files and keep all of the company’s computers working. The need for Information Security has moved to the top of the requirements list as well as beyond the firewall protection mentality. This need and the challenge to manage information assets now often become a discussion at the board level.
Management of IT Security is strategic as well as tactical and ensuring the proper knowledge, toolsets, projections and trends requires an information security strategy that begins with an information security analysis.
Determine your Risk Tolerance to the Information Assets
One of the most challenging aspects of creating a proper management structure for Information Security is to determine what information assets you need to protect. Ensuring the confidentiality, integrity and availability of these assets is what you measure the risks against. Performing an information security analysis or risk analysis should include the assets, threats, vulnerabilities and the likelihood of occurrence. The next step is for the business to determine their risk tolerance. With that information in hand, you are able to determine how much exposure the business can accept for that asset. Most likely, this information will result in another critical discussion on the goals and objectives for business continuity and disaster recovery strategies.
Develop a Information Security Management Foundation for the Business
Organizations need to indentify good control structure in order to manage tactical safety of the assets and those elements such as physical and environmental conditions that are part of the “IT team” makeup. A management structure needs a foundation. It must utilize known standards such as ISO 27001 and the controls found in standards Annex A or Cobit 4.1 (and sometimes both) to set the control structure for the protection of the identified assets. The management tier, though, needs to be viewed holistically, and by implementing a management system concept of continuous improvement, it provides a balance of review, improvement and commitment.
Competence, Awareness and Training
Most organizations today include IT management at the strategic level. Searches on the internet still bring up blogs and articles from 2005 -2007 where the struggle to get IT management into the Business was rare and an uphill battle. Today that is no longer the “norm” but an exception. CIO’s, CTO, CSO’s all have a strong mixed background of IT and Business. Many have an Information Security degree or certification to be able to understand, at the very least, conceptually, the requirements of IT and Business together. It is still an ongoing challenge to imbed management with an awareness of security needs and requirements in their organization. However, through security policy training, varying certifications and ongoing education, the management of IT can ensure the competence of the team and the organization as a whole. This competence, awareness and training of the organization also must be addressed and reviewed at least annually, as technology and the risks to the information assets are always changing.
Create a sustainable and improvable model
The many challenges to create a sustainable management structure for Information Security within an organization, requires a good look at “big picture” – i.e. what tactical requirements does IT have? What strategic requirements does the business have? What inputs and outputs are required to ensure a cohesive entity?
Often, many organizations seek out the skills of an Information Security Consultant who brings a set of “best practices” and a view of multiple organizations to the table. A combination of having a core business skill set, along with the viewpoint of an outsider, is most likely the best option to ensure integrity of the structure.
There is also a new business model that was introduced by ISACA (isaca.org) called the Business Model for Information Security (“BisMO”). Begun in 2008 with a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection, this BiSMO concept has an objective to form a holistic and dynamic approach to information security that is both predictive and proactive as it adapts to changes, considers the organizational culture and delivers value to the business.
In summary, there is no need to create a new wheel to develop a quality management system for Information Security. Utilizing security standards, business models, experience and good controls are all critical elements to the success of the program.