Security Governance
- Collection of practices to support, define, and direct the security efforts of an organization
- Common goal is to maintain business processes while striving toward growth and resiliency
Alignment of Security Function
Security management planning ensures proper creation, implementation, and enforcement of a security policy. It is a responsibility of upper management and most effective ways to tackle is to use a top-down approach. That is, senior management is responsible for initiating and defining policies for the organization.
Elements of security management planning
- Define security roles;
- Prescribe how security will be managed, who will be responsible for security, and how security will be tested for effectiveness;
- Develop security policies;
- Perform risk analysis; and
- Require security education for employees.
The best security plan is only possible by approval from senior management.
Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management.
A security management planning team should develop three types of plan
- Strategic Plan is long-term fairly stable, usually of 3-5 years and includes risk assessment. It defines organization’s security purpose, helps to understand security function, and align it to the goals, mission, and objectives of the organization.
- Tactical Plan is a midterm plan that provides details to accomplish goals of strategic plan. It is useful for about a year. E.g. project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans.
- Operational Plan is based on the strategic and tactical plans and is a short-term, highly detailed plan valid for a short time (monthly or quarterly). It dictates how to accomplish the various goals of the organization and includes resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. E.g. training plans, system deployment plans, and product design plans.
Organizational Processes
Security governance needs to address every aspect of an organization including processes of acquisitions, divestitures, and governance committees.
Risks in acquisitions and mergers
- information disclosure,
- data loss,
- downtime, or
- failure to achieve return on investment (ROI)
Change Control Management
Another important aspect of security management is change control management.
Change can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. Managing change usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms.
Goals/requirements of change management
- Ensure that any change does not lead to reduced or compromised security
- Implement changes in a monitored and orderly manner. Changes are always controlled.
- A formalized testing process is included to verify that a change produces expected results.
- All changes can be reversed (also known as backout or rollback plans/procedures).
- Users are informed of changes before they occur to prevent loss of productivity.
- The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
- The negative impact of changes on capabilities, functionality, and performance is minimized.
- Changes are reviewed and approved by a Change Advisory Board (CAB).
Reference
Mike Chapple. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide.
No comments:
Post a Comment