Information Security Risk Management Programs Part Two

Monday, April 18, 2011

kapil assudani


Information Security Program Part 2 - Updating Corporate Information Security Policies

As promised, I am back to only talk about the good stuff in Information Security Risk Management, a.k.a “What Works”! To read the Part 1 of this series go here.

Now, as we all know in a non-technology company and also in many technology companies, the culture is to embrace security only where it is absolutely necessary, and this comes through corporate security policies and industry regulations.

Beyond these, security groups hardly have any teeth - unless the works efforts are through a security group itself sponsoring a project, or if its an obvious critical security issue.

So the first and the foremost thing is to leverage the bandwagon of information security policies, industry regulations to achieve baseline security goal at an enterprise level.

Although this might turn out to be a comprehensive exercise, it surely promises results compared to the efforts that go into providing thousands of security recommendations that end up in the recycle bin or trigger a misuse of processes like risk acceptance etc.

In most enterprises, the corporate information security policies are poorly written, lack depth and also breadth, and are usually vague in language. The task to revamp the corporate security policies is not trivial, it's not like one just decides to write new policies and expect them to work right away. This is a very comprehensive exercise which requires dedicated resources for a considerable amount of time.  

Following are the three important aspects that would help shore up corporate information security policies without disrupting the responsibilities of various IT groups within the corporate:

  • Perform a gap analysis between current information security policies and applicable industry regulations.  Ensure all applicable industry regulations are embedded in the corporate information security policies
  • Update/Append corporate security policies that could be complied through implementation of security features of currently invested enterprise technologies and current enterprise processes that support them
  • For the security features supported by current enterprise technologies that are missing associated enterprise processes to support them, build a roadmap to introduce those processes and subsequently update corporate security policies

Embedding Industry Regulations

Here, the first step would be to perform a gap analysis of current corporate security policies, with the applicable industry regulations, and document all the gaps.  

Next, efforts to ensure that all aspects of industry regulations are embedded into the corporate information security policies. they should be executed through a policy gap analysis process.

Updating Policies to leverage the current state of enterprise technology security features

It is required to capture the state of all enterprise technologies across the enterprise and analyze their current usage and capabilities. I say this since many enterprise technologies are under-utilized, just bought and used for solving point problems, resulting in a number of un-tapped features.

Once a comprehensive list of current enterprise technologies are identified along with their various security features documented, the next task is to understand what are the used and unused security features of these technologies which can be leveraged to implement security controls.

So far, we have identified multiple enterprise technologies, comprehensively documented their features and map the features that currently are or may implement security controls like authentication, authorization, access control, activity analysis and cryptography.

The next task is to identify enterprise processes currently associated with these technologies and also how far these processes can support any unused features that may or may not support implementation of information security controls.

Note, we are leaving out all features of the enterprise technologies that do not currently have enterprise processes defined. Once this is done, we now perform a gap analysis between our current corporate security policies vs the enterprise technology security features (used and unused) that are/can be supported by enterprise processes in the current state.  

The gap analysis results will directly indicate what all corporate security policies could be updated or appended without disrupting any current responsibilities of the technology group's resources, since everything new or updated in corporate security policy can easily be complied by current state enterprise technologies.

Road Map for missing enterprise processes and corresponding update to corporate security policies

Since an enterprise process cannot be defined and implemented in a short time, the best way would be to build a mini-road map to introduce enterprise processes that could be used to fully utilize the security capabilities of our current state enterprise technologies.

This would involve interaction with the specific business unit which needs to introduce the new process and get their buy-in and subsequently update current corporate security policies each time.

To summarize, the objective is to observe ‘what works’ for an information security program and use that methodology in its comprehensiveness to achieve satisfactory results.

With this article, we as security professional have gone from saying “The IT does not implement our security recommendations unless they are tied to one of our crappy corporate security policy” to “The IT does not implement our security recommendations but they implement our corporate security policies which at the least help us achieve baseline security”.  

The next articles in this series will focus on effective risk communication, standards and reference architectures and more.

Possibly Related Articles:
Enterprise Security
Information Security
Policy Management Regulation Information Security Policies and Procedures Corporations Risk
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.