In the first article of this series, we identified and provided examples of the types of issues that need to be resolved if organisations are to correctly manage risk in the area of information security. If we combine the impact of these trends and issues with the fact that most enterprises are being forced to cut costs in order to remain competitive the true magnitude of the problem becomes apparent. Simply put, information security managers have to secure more complex environments, faster and using less resources.
In order to achieve this, it will be necessary to have a clear idea of the principles underlying the overall approach to securing information. The key ideas underlying the approach described in this series of articles are as follows:
· The approach should ensure that the level of information security-related risk accepted by the enterprise is in line with business expectations.
This involves ensuring that business managers are fully aware of the risks associated with different business alternatives and that any decision to accept or reject risk is taken with this in mind. Note that the requirement does not reference any external standard or best practice. It is quite acceptable to take risk as long as this is done in a controlled manner.
· Legal and regulatory requirements must be met and it must be possible to demonstrate this fact.
Even if enterprises are compliant with legal and regulatory restrictions, an inability to demonstrate this may lead to significant additional costs as a result of negative audits.
· It should be possible at all times to react quickly to business requirements, whilst still continually improving the overall control framework. In other words, the approach should allow for both tactical work and strategic work.
Very few organisations have the level of maturity required to satisfy all business requirements using the existing control framework. The vast majority of organisations will therefore need to pursue both tactical and strategic objectives to make the most of business opportunity.
· Compromise is essential, but it has to be done in the right way. Fast risk analysis techniques should be used to compare alternative actions on the basis of risk.
Most security practitioners accept the fact that security is not perfect, but some might find it difficult to accept solutions that are not in line with market standards. The ability to compromise is important in this area, but it is equally important that compromise be achieved in the right way. Fast risk analysis is a useful tool for making management aware of the risks they are taking. If management are prepared to sign off the risk and there is no legal or regulatory issue at stake, this is OK.
There are of course many other principles that could have been cited in this section. However, a deliberate attempt has been made to concentrate on the most fundamental principles; those related to managing the risk.
For many security managers, introducing an approach based on these principles will be complicated by the fact that the existing approach does not allow them to influence opinion where it matters; at the top. Under these conditions, any attempt to introduce change needs to be carefully planned, taking account of the personalities involved and their expectations. This is a key point - analytical documents do not in themselves initiate change, whereas correctly managing relationships within the enterprise does.
For this purpose, we divide the overall plan to re-orient the approach into two distinct phases. The high-level objectives of the first phase, which we shall refer to as the consolidation phase, are to establish credibility, to build up a network of contacts, to identify where changes should be introduced and to wind down any activities that are unlikely to be unprofitable in the long-term. The major deliverable of the consolidation period is the information security strategy. In order to produce a realistic strategy, it will be necessary at an early stage to assess the level of maturity of the current approach, as this will determine how much effort is likely to be spent on tactical initiatives and how much is available for strategic initiatives. In general, less mature organisations will need to foresee more tactical activity, whereas mature organisations will be able to devote more time to strategic initiatives
At the end of the consolidation period, the information security approach should be driven by a series of strategic planning cycles. A complete planning cycle should ideally span a period of about three to five years. The strategic planning cycle encompasses four key steps, which can be thought of as essentially sequential, but which in reality overlap to some extent. The steps are, not surprisingly, the definition of a strategy (which doesn't need to be done for the first cycle as it is done during the consolidation period), the production of a strategic plan, execution of the plan and monitoring and improvement.
In the next article, we will take a more detailed look at the consolidation period.
Steve Purser is the director ICSD Cross-Border Security Design and Administration at Clearstream Services, Luxembourg and is also a founder member of the Club de Sécurité des Systèmes Informatiques au Luxembourg (CLUSSIL). The themes of this article are developed further in the author's newly published book "A Practical Guide to Managing Information Security" (Artech House (2004)).