Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
|
Automation also helps with trending and tracking of progress against control objectives. Identification is the first of four deployment phases of the FERM process. Inventory such as service offerings and business unit assets are gathered and uploaded to the tool. Assessment is the next phase. Threats, vulnerabilities and risk that could impact a particular service offering are assessed. Business impact analysis, data classification and threat modeling are done against every application that applies to a service offering in a business unit. "Because we do a data classification, we can focus only on high-risk applications for a service offering," Theisen says. "Business management has been extremely supportive because they know we are focusing on what is critical to them--high-risk applications within their service offering--and we don't have to do everything." Those two phases are the most time consuming, she says, but are absolutely necessary. The third phase is testing. Having established what the high-risk issues are, Theisen's group can focus on what is critical to a business unit. Application and infrastructure assessments are conducted prior to a controls analysis questionnaire. The questionnaire is tailored to the service offering in question, Theisen says. ControlPath builds a master controls library mapped to all the controls relevant |
Requires Free Membership to View
| to First Advantage, enabling it to build customized questionnaires for each business unit.
"It's where automation matters," she says. Remediation is the final phase. Based on the results of testing, Theisen has a list of remediation items prioritized based on risk--all flowing from the organization's business impact analysis and data classification. Theisen says a major challenge involves keeping up with the fluid changes in regulations where very little automation exists on the front end to gather data. Often organizations are forced to wait for vendors to update their control libraries, or do it manually. Another challenge is the narrow focus on compliance versus doing what is right for the business by implementing sound business practices to manage data. "I try to stay away from talking about regulations," Theisen says. "This is about sound business practices."
|
This was first published in September 2008
Join the conversationComment
Share
Comments
Results
Contribute to the conversation