The Security Trifecta
Security does not have to be complicated. I have spent my career within information security demystifying what for some is a like understanding a foreign language (or like raising teenagers). The fact of the matter is that by taking three well defined pragmatic steps, we raise the bar and achieve success; governance documentation, technological enforcement and vigilant teamwork working together to promote security.
- Governance Documentation: The foundation for what we do is based upon the written word. We collectively, collaboratively, cooperatively establish standards that are based upon philosophy, legal requirements, best practices, and regulatory demands.
- Technological Enforcement: When governance documentation has been established, we set about implementing and enforcing those standards as much as possible through the usage of technology. Some technology implementations allow for the end user to exercise greater choice and control, whereas others strictly enforce our standards taking the human choice element out of the mixture.
- Vigilant Teamwork: The reality is that nothing works very well without teamwork. Controls and standards break down without careful tending just like weeds take over our gardens without vigilance. We must regularly review our security standards validating their relevancy and we will remain agile to adapt to the changing business landscape putting into practice carefully considered revisions to our ongoing security program.
Laying the Foundation for Success
Increase your success potential by executing a well-defined information technology and security policy implementation plan. Planning and preliminary preparations are integral parts of governance documentation development.
The custom designed information technology and security governance documents have certain variables that will be unique to your particular organization, company or business entity. Many of these variables require some research into what your organizations current governance, technology and monitoring conditions or capabilities are. Typically, and it is recommended, you will assemble a policy steering committee to compare and contrast the organizations baseline security posture; effectively the starting point for your governance documentation.
The corporate culture of the organization is very important when developing your information technology and security policies. People spend a significant part of their day in the workplace not just working but also interacting with other employees and business supporting entities. It is very important to consider this corporate culture while developing and maintaining its policies. The more free-spirited and open the organization is the more flexible and adaptable your policies will need to be. If they are too restrictive, they will not be well received by the employees in general who will make security leadership exponentially more difficult. If the corporate culture is more formal, developing policies and standards that are more well-defined with established boundaries will be more successful during implementation. Keep in mind that how you write policies makes a big impact on the successful adoption of those policies. Language that is too demanding or strict, that is too ambiguous or lacks focus will have an impact on your success.
Regardless of the specifics behind corporate culture for your organization, it is highly likely that your organization has not documented too many policies or procedures. The process of creating information technology and security policies will close that gap and improve information security and risk management within the organization.
Policies, Standards, Procedures, or Guidelines
It might seem that the definition you use to describe the particular governance document does not really matter, but you would be mistaken. While generically referring to all governance documents as policies is fine, the actual textual descriptions are very important. The reason for this need for specificity hinges primarily on regulatory taxonomy. Policies will be viewed as concrete directives whereas standards are more transitive. You must strike a balance between maximizing security, risk management, and meeting regulatory requirements, while minimizing business impact.
External Regulations within the context of this publication refer to any external legislative mandate, regulatory obligation, and industry requirement facing the organization. Examples are Sarbanes-Oxley (SOX), Payment Card Industries Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), UK Data Protection Act, or the Data Protection Act (India) are just a few examples of the plethora of regulations potentially facing your organization.
The most prudent first step in determining which external regulations are applicable to your organization would be to consult the General Counsel if your company has one or consult with an attorney who specializes in Federal and International cyberspace law. There is inner-state, intra-state, federal, international, cross-border, and specific country laws and regulations to adhere to. Keep your facts straight to prevent any unwanted consequences from occurring.
The Corporate Charter for information technology and security serves as the capstone document for the Information Security Program. The Information security charter defines how the organization approaches security and if a governance framework will define the trajectory of the complete set of information technology and security governance documents. This of course sets the foundation for the technical controls, monitoring, testing, and ongoing pace for the entire security program.
Choose wisely and ensure that whatever framework you select, it is comprehensive. There are logically seven overarching topical areas applicable to Information Security. First, there is the asset identification and classification category, second, the asset protection category, third, the asset management category, fourth, the acceptable use category, fifth, the vulnerability assessment and management category, sixth, the threat assessment and monitoring category, and finally, the security awareness category.
Corporate Policies are specifically used to establish the holistic requirements and guiding principle used to set direction in an organization. They can be a course of action to guide and influence decisions. Policies should be used as a guide to decision making under a given set of circumstances within the framework of objectives, goals and management philosophies as determined by senior management. An example of this would be that your comprehensive information technology and security program include the holistic set of controls covering asset identification and classification, asset protection, asset monitoring, asset management, acceptable use, vulnerability assessment and management, threat assessment and monitoring, and security awareness.
Corporate Standards are specifically used to define some of the overarching specifics mandated by the higher-level policies. They are used to establish normal operations or requirements as they apply toward technology-based systems. Information Security standards provide more measurable guidance in each policy area. They establish uniform engineering or technical criteria, methods, processes and practices. A standard may also be used as a controlling artifact or similar formal means used to establish evidence of review activities, governance expectations, compliance requirements, and other regulating activities included in your information technology and security governance program. An example of a standard would be defining the encryption cipher strength permitted for corporate business applications as defined by the encryption standard.
Corporate Procedures or guidelines are specifically used to articulate in great detail the steps, configuration specifics, and production requirements necessary in the designated usage of corporate information assets and business applications. Information Security procedures describe how to implement the standards. An example would be that employees should not cite or reference clients, partners or suppliers without their approval. When you do make a reference, where possible, link back to the source as required by the companies Social Computing Guidelines governance document.
Read more about strategic planning/erm in CSOonline's Strategic Planning/ERM section.