A security program is comprised of many layers and operates best following a top-down approach as shown above. The top layers of a security program deal with strategy, risk and governance, whilst the lower levels deal with operational tasks. Two approaches exist for the design and implementation of a security program, top-down and bottom-up. A top-down approach is driven by senior level managers, uses a risk based approach and ensures that the necessary resources and funding are available to ensure success. This approach has strong upper management support, a dedicated champion(s), usually dedicated funding, a clear planning and implementation process and a direct means of influencing organisational culture. A bottom-up approach rarely delivers good outcomes as it is focused on addressing point issues or weaknesses (symptoms) and often ignores the bigger picture (root causes). It is driven from the technical expertise of the IT department and can lack participant support and organisational staying power. A top-down approach is advocated by Cyber Risk as the most effective approach.
A well designed, implemented and managed security program addresses all of the questions below:
- Do we treat cyber security risk as a business risk? Does management understand that they must be part of the decision making process for managing the organisation’s information assets?
- Does our security program align and support our business goals?
- How integral is information security as part of our corporate culture?
- Do we have the basics right? (Controlling access to data, secure system design and builds, managing virus outbreaks, protecting our internal systems from web based threats etc.)
- Have we identified our most valuable business processes and the data that enables them? Do we know where the data is stored, who is accessing it, when and how they access it?
- How are our third party suppliers at managing and protecting the information we provide them? How do we know that they meet our requirements and standards for information security?
- Are we compliant with all applicable laws and regulations?
- How do we evaluate the strength and effectiveness of our security posture? How do we address any weaknesses identified?
- How do we monitor our systems for signs of a data breach?
- What is our plan for responding to a data breach?
- Do we have tested plans for the recovery of our systems in the event of a disaster? How do we keep key business processes operational whilst we are recovering our IT systems?
Risk management is the process of identifying, assessing and responding to risks, and communicating the outcomes to the appropriate parties in a timely manner. Risk management is the process of determining an acceptable level of risk (risk appetite and tolerance), calculating the current level of risk (risk assessment), accepting the level of risk (risk acceptance), or taking steps to reduce risk to the acceptable level (risk mitigation). An effective risk management system:
- Improves planning processes by enabling the key focus to remain on core business and helping to ensure continuity of business processes
- Reduces the likelihood of potentially costly ‘surprises’ and assists with preparing for challenging and undesirable events and outcomes
- Contributes to improved resource allocation by targeting resources to the highest level risks
- Improves efficiency and general performance
- Contributes to the development of a positive organisational culture, in which people understand their purpose, roles and direction
- Improves accountability, responsibility, transparency and governance in relation to both decision-making and outcomes; and
- Adds value as a key component of decision-making, planning, performance and resource allocation.
An effective security program should provide a linkage between the organisations business objectives and the controls put into place to protect its critical information assets. A business driven approach aligns security efforts to enable an organisation to reach its business objectives whilst minimising the risk to achieving those objectives. The traditional approach to information security risk management identifies risk based on an analysis of possible threats. Using this approach, the relationship between the possible threats and the business impact of the risk eventuating is missing, threat based approaches do not consider any potential opportunities that might arise from embracing the risk.
An understanding of an organisation’s business drivers for security allows questions such as the following to be answered.
- What needs to be secured?
- Why does it need to be secured and in what priority?
- How much or how little security is good enough and how much do I need to spend?
- How will I know when my organisation has been ”secured”?
- How will I measure success?
When designing an effective security program a balance must be sought between security controls to protect information assets and the ability of the organisation’s people to be productive, run the business and share and use information easily. Assets that are of critical value to the organisation must be protected by appropriate controls in line with its appetite for risk. Different organisations will have different goals and objectives, hence the requirements for security will differ and since resources are limited, a business driven approach allows an organisation to focus and prioritise the most important elements to be addressed.
Every piece of data is not created equal. Data classification is an exercise designed to understand how important the different types of data in use are to the organisation in achieving its objectives. Data classification enables an organisation to appropriately and efficiently protect sensitive data. Information classification is the embodiment of management’s tolerance of information risk, it categorises data to convey the required safeguards for information confidentiality, integrity and availability. These protection measures are usually based on the value of the information to the organisation and risk tolerance. Without classifying or categorising data, organisations will typically treat all data the same way, which rarely reflects the true differences in value among data sets. Data classification is a powerful tool that can help determine what data is appropriate to store and/or process in different computing architectures, like the cloud or on premises. Without performing data classification, organisations might under-estimate or over-estimate the value of data sets, resulting in inaccurate risk assessments and potentially mismanaging the associated risk. In addition to understanding the nature of the data, an organisation must also understand where the data is stored and create a data inventory. Once this is understood the specific control requirements for how different datasets are to be protected can be defined, documented and implemented.
Security Leadership and Strategy
Security leadership and strategy is concerned with the level of sponsorship and support the security program receives from senior business management. How committed is the business to information security? Support from the highest level of the organisation helps shape the culture of the organisation and the attitude of its people to information security. A security strategy articulates how the security program will support the organisational strategy. This layer also deals with metrics and measurement of the security program. Creating a culture of security requires positive influences at multiple levels within an organisation. Having an Information Security Steering Committee is a crucial element of security leadership and provides a forum to communicate, discuss, and debate on security requirements and business integration. Typically, members represent a cross-section of business lines or departments, including operations, risk, compliance, marketing, audit, sales, HR, and legal.
This layer is concerned with the size, structure and reporting lines of the people and teams directly and indirectly supporting the security program. It also looks at their skills, qualifications and experience.
Security policies are comprised of the policies, standards and guidelines that have been developed to describe the organisations information security requirements. Policies guide the implementation of controls and in so doing embody the organisations risk appetite. Risk appetite is broadly defined as the amount of risk an entity is willing to accept in pursuit of its mission. Risk tolerance is tactical and specific to the target being evaluated. Risk tolerance levels can be qualitative (for example, low, elevated, severe) or quantitative (for example, dollar loss, number of customers impacted, hours of downtime). It is the responsibility of the Board of Directors and executive management to establish risk tolerance criteria, set standards for acceptable levels of risk, and disseminate this information to decision makers throughout the organisation. The dissemination is usually achieved through documented policy.
Deals with the processes for day-to-day management of security, including:
- Security event and threat management – the review and analysis of security logs to identify actual and potential attacks. Analysis of the current threat landscape and how it might impact the organisation, for example, what attacks are most common at the moment, what new vulnerabilities have been discovered and what is their potential impact?
- Investigation and resolution of security alerts and incidents
- Security incident management – Prioritise and respond to security incidents with the goal of limiting the damage caused
- Vulnerability management – proactively assessing and finding vulnerabilities before they are exploited by attackers
- Security awareness and training – educating end users on good security practices
- Third party risk management – relationships with third parties such as external suppliers and vendors can introduce risks that must be proactively identified and appropriately managed
- Systems development and implementation – the process by which new software/systems or changes to existing software/systems is developed and migrated into the production environment
The user lifecycle has a number of different stages, from creation of a user account, updates to access due to changes in the user’s job and finally termination. It also deals with the approval and periodic review (user attestation) of the access permissions assigned to user accounts, for example, access should be based on least privilege and enable the segregation of incompatible duties. An important element of user management is the monitoring and control of “super user” or administrative access rights. Other factors to consider here include things such as single and consistent sign-on. What is the end user experience with regards to security in the organisation?
Infrastructure and Application Security
This layer is concerned with securing the technology that is used by the organisation to manage its information assets:
- Networks (firewalls, routers, remote access systems etc.)
- Web services, Application Programming Interfaces (APIs) and integrations (how we move data across our organisation and outside of it)
- Operating systems
- Wireless networks
- Mobile devices
- Security systems such as anti-virus, security information event management, two-factor authentication and intrusion detection and prevention
Physical Security and Continuity
The physical security of the facility that contains the infrastructure supporting the organisations information technology systems is considered in this layer as are the organisations plans and procedures for managing disasters and business continuity events. These plans are critical in ensuring that any disruption to the business is kept to a minimum.
Security Awareness and Digital Safety Culture
Many business leaders do not commit enough resources to security training and awareness, following a “compliance is enough” attitude. However, this is the problem: Awareness initiatives are sporadic, with materials that reflect the minimal, uninspired investment in compliance focused activities. Meanwhile, security technologies that are critical to protecting environments are often rendered useless due to easily avoidable human factors. In fact the root cause of the majority of security incidents and breaches is human error. In this component, the following is considered:
- How much management support exists for security awareness?
- What type of security awareness activities have been completed or are planned for the future?
- Is the success of the security awareness program measured? If so, how is it measured?
Measuring something gives you the information you need in order to make sure you actually achieve what you set out to do. A security program must be measured regularly to ensure that it is delivering the planned benefits in order to achieve the organisation’s goals and objectives. This area is concerned with ensuring that meaningful metrics are collected, analysed and reported to an appropriate level of management. Appropriate metrics:
- Demonstrate the effective management of risks
- Provide a picture of how well critical assets are being protected
- Provide justification for the investment in information security
- Describe how well aligned the information security program is with the organisation’s goals and objectives
Metrics are about transforming policy into action and measuring results.
Wayne Tufek is currently a Director of CyberRisk (www.cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the ACSC Conference, RSA APJ and CeBit.