Security ManagementTraditional IS/IT security management is often viewed as difficult, centralised, top-down, uncompromising and non-aligned to real business needs. A modern and decentralised methodology will differ from this by focusing on the receipients of the security requirements, sa well as the follow-up of status reports - just like economists use ERP systems to govern the financial management of today's organisations.
|Securiy management has never been as hard as it is today. The rapid development of IT continues and leaves checklists and formal security policies way behind.In tiday's streamlined organisations, one will often find responsibility for a unit's quarterly fiscal results - and for long-term risk management - in the same individual. Cybercom has created tools and methods that work in these modern environments. Focus is placed on decentralized security management and rational online solutions for requirements management. These tools do not only support the CISO, the Chief Information Security manager, but also the all of those who has some kind of security responsibility in the organization - often every single employee and contractor.
This is why we created Compliance Portal, says Bengt Berg.
Efficient IS/IT Security ManagementThere is no shortage of security policies and proceedures that are neither read nor followed. The requirements in these documents are often very strict - sometimes even impossible to follow. In addition to this, there is often a lack of support for really helping the organisation to comply with these requirements.
Any esistance of security requirements that can not be fulfilled, or where there are requirements but a lack of support - makes the organisation used to "cut corners". Lack of support for the "end user" increases frustration and security is seen as "someone else's problem".
Cybercom's IS/IT security services focus on the decentralised approach to IS/IT security management. In this approach, Alice the web site manager is responsible for the IS/IT security issues pertaining to the corporate web site. Bob the security manager is responsible for making sure that Alice takes care of her security responsibilities, to help, support, verify, or even escalate if Alice needs additional support to havdle this responsibility. If Bob was really responsible for security in Alice's web site, Alice would have no incentives to handle risks properly.
The decentralised approach means practical hands-on work, but it delivers results. It can be implemented in a step-wise fashion into organisations or arbitrary size, and it is extremely easy to grow if implemented using a standardized security process that is usable throughout the whole organisation.
A Decentralised IS/IT Security ProcessA decentralised security process must be easy to follow - for technicians, managers, systems administrators, or for any other kind of role that has the responsibility to work with IS/IT security issues.
The fllowing steps are implemented in Cybercom Compliance Portal:
First step is to document the security requirements on the system, process, or other object that is to be secured. Typical decisions involve classification in terms of confidentiality level, integrity level, availability level, system lifecycle stage, or any other kind of perspective that defines what security requirements are applicable.
- Gap assessment
A number of security requiremenst are automatically selected based on the classification data. The person responsible for the to-be-secured object documents to what extent the requriements are fulfilled.
- Risk assessment
Requirements that are not fulfilled form the basis for a risk assessment. In this stage it can be decided what unfulfilled requirements that really matter, and where incompliance is not a big problem.
- Action assessment
In this stage, actions are identified and documented that address the risks thhat have been selected for future work with risk reduction. Actions are evaluated from a cost-benefit perspective, in order to identify the security-enhancing actions that optimize the benefit from any given investment in risk reduction.
- Implementation of selected actions
The optimum set of actions are selected and implemented. The process is finished and a new cycle is initiated, maybe next year or when need arises.
ResultA decentralised approach for IS/IT security management provides an increased acceptance and awareness for IS/IT security throughout the whole organisation.
- The responsibility of IS/IT security finally resides where it belongs, and people are given the mandate to take decisions in IS/IT security issues. This increases acceptance and buy-in to risk management.
- The involvement in the compliance, risk and action assessments gives greater acceptance for any security actions selected for implementation.
- The security manager's role is transformed: from "police" or even "scapegoat", to "security process manager".
- By using Cybercom Compliance Portal, a ready-made process can be rolled out into the organisation. For the end user or the systems administrator, this provides an easy one-stop shop for the security work. For the IS/IT sercurity manager, this provides real-time consolidated scorecards, enabling a clear view of the whole organisation's security status.