IT Security Management: Drawing a Security

The ultimate goal of all security concepts is to make sure that an organization’s business and technology assets are well secured and not compromised in any way. We will see how an Information Security professional will draw a security plan to make sure that this goal is achieved. We will discuss the sequence of steps that can be employed in a security plan. This will give a 360 degree view of the Information Security domain.

1. The first step in a security plan will be to perform a ‘gap analysis.’ The “gap analysis” will identify vulnerabilities within the infrastructure. We will next identify business drivers, human resource drivers, financial drivers and technology drivers within the organization.
2. Once the drivers are identified, the next step will be to plug the vulnerabilities by suggesting recommendations based on “best practices”. New policies, standards will have to be created to plug the vulnerabilities.
3. Appropriate security personnel will be given duties to implement the various sections of recommendations.
4. Once new policies are created, they will have to be conveyed to the whole organization by means of security awareness programs.
5. Finally, the management must know that the security plan is successful and appropriate security controls have been installed. This is done by employing the metrics and measurement plan.

Let’s discuss the security plan in more detail:

1.      Performing gap analysis:
“A gap assessment is the comparison between what exists within a corporation and what is required” (Landoll) The gap analysis itself consists of multiple steps and can be done on each sector. Put simply, a gap analysis analyzes existing security policies, technology safeguards like firewalls, VPNs, servers, business continuity processes and access control standards against required standards.  These required standards may be HIPAA guidelines or ISO17799 guidelines. The ‘gap analysis’ will expose vulnerabilities (like viruses, data leakage, out of date virus signatures etc) within the corporate environment and the remediation steps that will be taken. Every router, firewall, anti-virus software will be checked and missing “gaps” will be found.

2.      Identifying the drivers within an organization:
We will next identify the business drivers within an organization. What are business drivers? The business drivers “for a software company may be superior products, technological innovation, excellent marketing and ongoing customer support” (techopedia) We will map the missing gaps to the business drivers of the organization and show how business will be affected.

3.      Remediation steps will be taken:
Once the missing gaps are found and vulnerabilities detected, remediation steps will be taken and new recommendations will be made. Recommendations will be made based on NIST publications and according to “best practices”. For example, the NIST publication SP 800-14(“Generally Accepted Principles and Practices for Securing Information Technology Systems”) is for all organizations seeking a basic security plan. “Best practices” might recommend installing current anti-virus software on all systems and/or encrypting email. These recommendations will then be mapped to business drivers to show that risks to the organization have been eliminated. The recommendations have to be approved by the management.

4.      Mapping security personnel to implement the new security controls:
The different members of the Security team like CISO, Security Technician, Senior Agency Information Security Officer will be given appropriate tasks to implement the security plan and implement the various controls.

5.      Security awareness will be implemented:
Effective communication has to be done to inform the rest of the organization of the new policies and safeguards. This will be done by means of security awareness training programs. Security awareness concepts must be bold and creative and catch the user’s attention. It should enlighten the employees on the new policies and the new security rules within the organization.

6.      Metrics and Measurement plan:
After having implemented the security controls the management must know that the security plan that has been created is successful. We will make use of an appropriate measurement plan to show this. The various NIST publications provide an insight into performing a measurement plan. For example the NIST 800-55 publication is the “Performance Measurement Guide for Information Security”.

Data will be collected at different time intervals and the results will be measured according to different criteria. An Information Security plan is successful once the measurement plan shows an improvement over a period of time. We have seen a 360 degree view of Information Security plan covering most of the concepts and the reasons on why they are being done. A security plan once created and implemented will ensure that the physical assets and information assets of any organization are not compromised in any way.