Security from Obscurity: Building a Security Program, Define the Domain
In our first installment, we decided who needs to be involved in the program and an idea of how it is structured and to whom it reports. That’s a great start! If you haven’t had a chance to read that article, check here. Now we need to start looking at what we are securing? What is it we are governing? What is the scope? If we don’t have that defined, we can’t really protect it can we?
It’s probably easier to define what isn’t in a security program, than what is in it! That’s right, security is going to touch almost every aspect of your organization. Every organization is different, they all have their own threats, compliance issues, business lines, risks, etc. Even in the same industry, the security program requirements can vary greatly. However, they all typically have the same basic elements.
Every organization has assets. This is what we are defending and we’ll call this tier 1. Assets can be systems, knowledge, data, people, etc. It just depends on the organization, and if applicable, it’s business lines. Tier 2 are the elements influencing tier 1. Assets are protected by network security, physical security, system/software lifecycle security, and communication security. Factors effecting the assets and security of the assets include threats and threat management, compliance with policy (note, we are not talking regulations, that comes at a higher tier), metrics for evaluating our security (defined in a higher tier), vulnerability management, and incident response. Elements that drive tier 2 and therefore will be called tier 3 include personnel security, risk assessment, audits, business continuity planning (BCP), metrics development, process management, threats and vulnerabilities (yes they appear here as well as this level is also being protected), data classification, and process management. Tier 4 is the final tier we will cover. This however can be expanded to additional tiers depending on complexity of organizational structure and regulations/laws, but we are talking basics here. Tier 4 includes, regulations, laws, risk analysis, the overarching security program, policy development, process development and monitoring, governance model, and organizational security.
In some capacity, your organization MUST have each of these components to have an effective security program. I know, that seems like a daunting task. It is no small undertaking to establish all that, and if the company has grown for years without it, it will be extremely difficult to change the culture of the organization to be accepting of such a wide sweeping change. Remember though, if you followed part 1, you have the authority of the board and CEO. This is a mandate. If not, you’re wasting your time. That isn’t to say, be ugly about it. In fact, just the opposite. The people that need to be involved in this process (which is pretty much everyone in the organization in some aspect) MUST want to participate or they won’t live up to their end. A great way to start is training your employees on how to protect themselves from predators. This will get them engaged and thinking about security in new ways.
Most companies have no idea where to begin trying to get a handle on all those elements. Fortunately, you are reading this article to help you on your way. There are plenty of great resources out there for best practices guidelines. ISO 17799 and it’s successor is a fantastic resource. It is an internationally recognized standard for information security governance and provides high level recommendations for enterprise security programs. Divided into two main parts, the first is an implementation guideline and the second is an auditing guide.
As suggested in part 1, security should be top down. Meaning the board down to upper management, middle management, and finally the staff. A bottom up approach in which the IT department tries to initiate a security program is less effective, won’t get full buy in from other departments/business lines, and is doomed to fail. Other than the obvious lack of buy in from others, it is generally focused on technology and leaves all other vectors of attack untouched. The people actually responsible for protecting the assets must be driving the program.
Contact Shades of Gray Security to find out how we can help you setup and manage your security program today!
