Security Strategy Development

Transcription

1 An ISS White Paper Security Strategy Development Building an Information Security Management Program 6303 Barfield Road Atlanta, GA Tel: Fax:

2 Information Security Management A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations. In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organization s overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program. Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the framework of a specific strategic objective. In the case of information security, the strategic objective is the satisfaction of protection requirements for an organization s information assets. Strategic Planning Process Laying the Groundwork Assessing the Need Designing the Strategy Defining the Roadmap Document the Plan Laying the Groundwork The first step in building a security strategy is the development of a work plan for the planning process itself. This step includes: Formulation of the planning team Identification of specific issues or choices that the planning process should address Identification of information that must be collected to help make sound decisions The planning team should be carefully selected. These individuals should represent various departments within the organization that will be directly involved in the execution of the planned strategy. The participants should have a commanding knowledge of their department s operations and should have the authority to make decisions regarding the strategy and their department s involvement in the execution of that strategy. The planning team should also include individuals possessing expertise in information security to serve as subject matter experts. These individuals should provide input on best practices in information security and insight into the security practices of other organizations based upon their experience. The planning session(s) are most successful when utilizing a neutral third party as a meeting facilitator. The facilitator should guide conversation, according to the work plan, and keep the team on schedule and on topic. The facilitator helps the team develop the security approach by An ISS White Paper Page 1

3 listening to the opinions of the group, translating those opinions into ideas and gaining consensus on decisions. As a neutral third party participant, the facilitator can ensure that the minority voice is heard and aid in the decision-making process. Assessing the Need for Security In developing the security strategy, an organization should first determine their business requirements for security and how security fits into the overall goals of the organization. The following should be taken into consideration: Critical business requirements Security initiative mission Current state/desired state of security The team should begin by gaining consensus on the key business processes within the organization for which the confidentiality, integrity and availability of the computer systems supporting those processes are most critical. Next, the group should evaluate IT initiatives currently underway to determine the driving forces behind this security initiative. This should lead to the definition of the security mission for this organization. The determination of this mission will provide the parameters for building the plan for security. It is likely that the organization has already implemented security processes, procedures and technology to manage security risk. The team should review the current safeguards already in place and evaluate the effectiveness of these solutions. This exercise is most effective when framed around best practice standards for information security. For example, ISO contains a set of best practice security controls organized within the following major areas: Information security policy Security organization Assets classification and control Personnel security Physical and Environmental Security Computer and System Management System Access Control (internal and across open networks) Systems Development and Maintenance Business Continuity Planning Compliance At the end of this phase, the team should be able to determine the requirements for their security management program. Designing a Security Strategy Once the team has a clear understanding of the desired outcome for information security, the approach for how to reach that outcome must be developed. The team will work during this stage of the planning process to determine the approach necessary to implement general security controls that will meet their requirements. The following topics should be addressed: Strategy Objectives and Measurements Assumptions and Constraints Strategy Approach An ISS White Paper Page 2

4 Clear objectives for developing and implementing a security strategy should be defined, and the achievement of those objectives should be measurable. For example, an organization that has had problems with the spread of computer viruses amongst their user community may determine that one of its objectives is to reduce the number of virus incidents to some acceptable number per year. This organization will likely implement a combination of anti-virus technology and procedures as part of its security implementation plan, and they will keep records of each virus incident to measure the satisfaction of this objective. In order to select security controls and identify tasks necessary to implement the defined approach, certain assumptions need to be made. These assumptions should be acknowledged prior to defining the approach. The purpose of defining the constraints is to clearly understand the boundaries in which the strategy must be formulated. The strategic planning team must determine how they will go about satisfying each requirement for their security management program. During this stage of the planning process, the team will outline the strategy s approach. The security strategy approach will likely consider the following areas: Asset and data valuation Vulnerability and threat assessment/management Legal and regulatory requirements Security policy and standards development Technology implementation Secure network design Procedural development Staffing and Training Ongoing security management Defining the Security Roadmap Now that the team has developed their strategic approach to building an information security management program, a high-level project plan should be developed which will outline the steps necessary to put the strategy into action. This plan will provide the team with a roadmap for implementing their security strategy. In developing this action plan, the group should consider the following: Roles and responsibilities Required tasks and task owners Timelines and milestones Documentation and Management of the Strategic Plan The events and results from each phase of the planning process should be documented and should reflect the consensus of the team. This document should outline the strategic plan in terms of: Security Mission Information Security Management Program Requirements Strategy Objectives, Measurements and Approach Assumptions and Constraints Roles and Responsibilities Program Risks Project Plan or Roadmap Project Management and Administration Procedures An ISS White Paper Page 3

5 Security Implementation This strategic planning process should provide a high-level plan for implementing a comprehensive security program. The resulting roadmap to security will provide the framework for developing detailed project plans for the execution of specific security initiatives that support the defined security strategy. An ISS White Paper Page 4

6 About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) is the leading global provider of security management solutions for the Internet. ISS protects critical information and network resources from attack and misuse. By combining best of breed software products, market-leading managed security services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security provider for thousands of customers around the world. Copyright 2001, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System Scanner, Database Scanner, Online Scanner, ActiveAlert, X-Press Update, FlexCheck, SecureLogic, SecurePartner, SecureU, Secure Steps and RealSecure are trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc. Other trademarks and trade names mentioned are marks and names of their owners as indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. An ISS White Paper Page 5