Security in IT playing catch-up

7 07 2012

How important and how mature is Security management in Information Industry?

Recently I read a paper that talked about the need of Information Security Management System in an organization and it got my brain churning with ideas.

What caught my attention in research that the Chief Information Security Officer (CISO) in an organization is always playing a catch-up game due to the fact that the technology in the server, middleware and Application layer are changing fast. The quick and aggressive adoption of integrated systems has made the situation worse as the separation of duties is hard to define. Mobile applications and their access to the corporate systems have made the situation worse for security people. The security organization does embrace bits and pieces of one or more frameworks( ITIL, COSO, COBIT etc.) existing in the market today, but have no monitoring process to control if the loop is closed, i.e., the incident happens, it was caught, rectified and then added to the monitoring system, but more often it gets lost.

The need here is to come up with an Information Security Management System instead of applying bits and pieces of a framework, that may not be ideal for your organization, and that made me think of my current organization and even the one before and the maturity of the security process in place. The key areas lacking were:

  • Security is not prioritized properly as it is not deemed as important and does not show an ROI.
  • They were more focused on Security Products rather than having clear processes, polices and management system in place.
  • Security management is not current with new technologies due to insufficient funding and knowledgeable resources.
  • A complete framework is needed instead of key controls from different frameworks
  • Lack of business and security integration. Securities strategy is not aligned with the business strategy. Since senior management is not totally involved with security initiatives, that leaves the security team without business sponsorship.

We need a framework in place like ITIL and/or COBIT and along with that a strong “security management” system in place that almost any industry can embrace. Information in this day and age is our most valuable commodity and what steps we are talking to ensure that it is safe, will keep the businesses running and acquiring the success they set out to.

Following is a high level diagram that explains a conceptual Information Security Management System. I have reproduced this diagram after borrowing some ideas and concept from one of the Forrester’s article.

The above ISMS concept is very self-explanatory and u can use this with any Security framework. You start with your baseline assessment. Once you have that then you keep track of your current incidents and operational issues and the decision could be you have accepted/ agreed/ defer that risk. The system allows you to define the KPI’s and perform audits and risk assessment against them. It is a continuous improvement model and takes a holistic approach on security management.

Following are some of the benefits this approach:

  • After the initial efforts in term of time and resources it would be easy to maintain it going forward.
  • Once the business buys into this concept it is hard for them to cut cost but it is security responsibility too to keep it valuable for the organization.
  • ISMS system helps to prioritize your threats and take an appropriate action according to it severity.
  • As the technology changes this system is flexible and you can change your KPI’S and security policies. This allows you to stay ahead in the game, rather than playing catch up.

I will certainly read a lot more on this and what intrigues me is how many organizations out there have achieved success in managing their security process, and how seriously is this issue being pursued.

_______________

ITIL Framework for Security at http://en.wikipedia.org/wiki/IT_service_management

COBIT security framework from ISACA at ISACA.ORG

Forrester: http://www.forrester.com/Dont+Bore+Your+Executives+Speak+To+Them+In+A+Language+That+They+Understand/-/E-RES58885?docid=58885&src=60842

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: