Performing security assessments for our clients, not only brings us around the globe, but also provides a global view of effective security processes. Here are the key attributes we see in our clients that are successfully managing security risk: process, process, process. Whether our view of client security operations is from an external perspective (i.e. penetration test or web application security assessment), or from an internal vantage (i.e. internal security assessment), or even an industry specific viewpoint as we see when performing a HIPAA risk analysis for our healthcare clients, disciplined process is the foundation of a successful program.
But what do we mean by process?
In our view, process is the general practice of identifying risk, implementing controls to mitigate the risk, and then evaluating the controls to ensure the controls are actually doing what they are supposed to. The image at left generalizes the process, and all the published standards, guidelines, and frameworks generally agree on this principal. ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT and HIPAA – Administrative Safeguards (§164.308) all have this process in common.
To understand why this process is fundamental to an information security program, its important to understand that virtually every organization shares these attributes:
- They all have limited resources: whether it be time, capital, or technical know how
- They all have security threats
If you assume that everyone has security risk but only limited resources to mitigate that risk, then to be successful you must prioritize your risk and focus your limited resources where they count. The less focused on critical issues, the more risk left unaddressed.
Lets unwrap the circular security process diagram and discuss a single pass through it. The lightning bolts at the top of the image represent risk, which might be as diverse as a hacker breaking into sensitive data stores to lightning destroying a data center. While there is a myriad of potential security threats, our diagram highlights in red the specific subset that are highest priority.
Step 1: Identify risk: whether through a formal risk assessment, risk analysis or other means, always prioritize your risk.
Threats can be thought of like rain, and in this case, only the highlighted threats (in red) really rain down on the organization. This may sound elementary, but its overwhelmingly common – organizations that are diluting their limited resources on the not-so-highest priorities.
Step 2: Implement controls: whether policy oriented controls or technical controls
Once you have a holistic view of your risk you can deploy processes and technology to address those. Without a clear picture of your risk you’ll risk adding layers of technology and processes on top of existing ones, which need to be managed by an already overburdened IT staff. It’s a house-of-cards-situation when new systems that require management, configuration and monitoring, are layered on top of a fixed size IT team that is already overtaxed. If you think of the controls in the diagram as umbrellas to stop the rain of risk falling down on your organization, you wouldn’t put an umbrella out to shield the back yard. However, this is common. Its not that these controls are useless – to the contrary, they are often slick and nice to have…. but do they address the most pressing need? Not always.
Step 3: Assess: periodically evaluate controls to ensure they are actually working the way you think they are
Our motto is: its not the existence of the control that matters, its the effectiveness of the control. By periodically stepping back and asking – “hey, is this really working the way we think it is?” – every organization can ensure that real security trumps the more risky proposition of being lulled into a false sense of security.
Focus, Focus, Focus. Don’t worry, you’re not the only one; everyone’s resources are limited. If you continually focus on the highest priorities and periodically verify that your controls are working the way you think they are, it will be somebody else in the news.
This post is about seeing common traits of successful organizations – thanks to all those, both global and local (you know who you are), this year that have given us the opportunity to participate in your security process.