While this may be obvious to any organization that has already attempted to construct an information risk management framework, completing the process successfully requires executing on a number of detailed, complicated steps. As we covered earlier, once the confidentiality, integrity and availability needs are determined for a business area, appropriate people, process and technology controls should then be applied.
People controls are the most essential
For CISOs and their organizations, employees can be either the greatest asset or the biggest liability in the pursuit of managing information risks. CISOs can work with employees to develop a good security culture in the following three ways:
- Identity and access management: Define roles for different users within your environment -- from administrative assistants to the CEO -- and specify physical and logical access privileges for all employees. Once these roles are defined, ensure that they have appropriate access.
- Information security organization: Make everyone responsible for security. Successful CISOs understand that their organizations needs to tackle much more than pure IT security issues; they need to manage the risks to corporate information in any form.
- Training and awareness: Develop a brand and marketing plan for security. Employees outside of security and privacy groups don't think about information risk management, and it's the CISO's job to keep them engaged, interested and thinking about security.
Technology controls create efficiencies and save time
Humans are much smarter than computers, but computers are much better at repetitive, time-consuming tasks. Thus, monitoring, enforcement, response, measurement and reporting of security controls are all prime candidates for automation, but only after you've trained your people and determined your processes. If you skip the people and process elements, all you'll end up doing is making insufficient and broken processes run faster. Forrester Research divides the technology area into seven domains.
- Network: Use technology to make your network intelligent. Network security means keeping your information secure from outsiders, protecting it from unauthorized insiders and securing it in transit.
- Database: Encrypt sensitive database fields, ideally with an enterprise-wide coordinated tool. Keep tight controls on your database with activity monitoring, vulnerability management and encryption tools.
- Systems: Define corporate strategies to protect the systems. As with database protection, authenticate access to storage devices and encrypt the data while at rest, where appropriate.
- Endpoints: Protect the first line of defense. Endpoints include desktops, laptops and mobile devices. Typically, it's the unpatched endpoint systems that get infected and introduce malware into your environment. Deploy technologies such as antivirus, antispam, disk encryption, configuration management, firewall/IPS and strong authentication to protect these vulnerable links in your chain.
- Application infrastructure: Reduce your attack surface. Vulnerabilities affecting Web applications accounted for 69% of all vulnerabilities documented in 2006. To reduce that attack surface, deploy source code analysis technologies and deploy a Web application firewall to defend your application from inappropriate incoming requests.
- Messaging and content: Protect the exchange of business information. CISOs need to ensure that sensitive information is encrypted and that incoming and outgoing Web, email and IM traffic is filtered based on compliance with corporate policies.
- Data encryption: Merely encrypting the data will not provide adequate protection. An enterprise-wide encryption strategy with strict authorization criteria is the key to maintaining data security, whether the data is at rest, in use or in transit.
Process is the glue that binds people and technology
The best information risk management frameworks quickly become useless if no process exists to execute the policies. Forrester divides process into the following seven domains.
- Information risk management: This means reduce, transfer or accept risks. Introduce processes to identify, evaluate and mitigate information security risks first. Next, create processes to prioritize, monitor and track them. Having a formal information risk management process ensures that management is at least aware of the critical risks and can take the appropriate actions to mitigate, reduce, transfer or eliminate them.
- Policy and compliance framework: Provide concrete guidance for users. Writing the security policy is only the first step. The policy needs to be converted into standards, procedures and technical implementation guidelines.
- Information asset management: A lot of companies struggle to manage their information assets because they rely too heavily on technology. To fix this, build processes to define asset ownership, assist with asset classification, manage the asset through its life cycle and ensure appropriate retention or disposal.
- Business continuity and disaster recovery: Substantially reduce the impact of business disruptions and disasters -- or in some cases even avoid them -- by introducing rigor into your BC/DR processes. CISOs must develop a set of processes to maintain, train, test and manage business risks and to ensure that redundant systems and alternate personnel are available if and when needed.
- Incident and threat management: To ensure that threats are researched, planned and responded to appropriately, strong processes are needed. Many CISOs remain focused on infrastructure threats, despite the fact that the majority of risks come from application vulnerabilities.
- Physical and environmental security: No matter how sophisticated your digital security is, if the guards at your gates don't control access to your physical environment consistently, you will never be secure. Forward-thinking organizations are taking steps toward physical/logical security convergence -- collaborating on processes and personnel and getting different sets of technologies to share information and improve the security and overall efficiency of each organization. Equipment and facilities need regular maintenance and adequate environmental controls, such as heating, ventilation, air conditioning and generators to ensure their continuous availability.
- Systems development and operations management: Don't let security be an afterthought. By ensuring that security is involved from day one, you can save a lot of time, effort and money. Requirement gathering, periodic architectural reviews, quality assurance and access controls ensure that a system and its applications are adequately protected.
Taking a top-down approach
Security is a complicated business, and devising a simple way to discover and report where prioritization is needed is vital for not only keeping track of how well you're doing, but also convincing management that the security program is effective. By bringing the people, technology and process elements of security together in a security policy, organizations can establish a framework that effectively monitors, measures and reports on controls and the firm's compliance with security policies.
Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at firstname.lastname@example.org.
This was first published in August 2007