Original: October 19th, 2016
Updated: December 11th, 2017
Mike Edlund, Solutions Manager
Cyber Security Service Catalog Enables Strategy
Creating a Security Services Catalog for a security team begins to drive value across the business by establishing accountability and scope of services. A security service catalog enables strategy by clearly articulating to the business customer services provided by information security teams while providing a level of service and responsible parties for each area identified. This case study was inspired by a more formal representation of provided by NIST 800-35 "Guide to IT Security Services". In short NIST 800-35 provides guidance using a lifecycle consisting of six phases:
Phase 1: Initiation—the need to initiate the services life cycle is recognized. Section 4.1 discusses potential triggers for this phase.
Phase 2: Assessment—before decision makers can implement a service and select a service provider, an accurate portrait of the current environment must be developed. Section 4.2 discusses Phase 2 and the importance of creating and gathering appropriate metrics.
Phase 3: Solution—decision makers choose the appropriate solution from the viable options identified during the assessment phase. Section 4.3 discusses the business cases and implementation plans.
Phase 4: Implementation—the service and service provider are implemented during the implementation phase. Section 4.4 guides decision makers through service agreement development and service implementation. 4-1 NIST Special Publication 800-35
Phase 5: Operations—the service is operational, the service provider is fully installed, and constant assessment of the service level and performance is made. Section 4.5 discusses the importance of metrics in monitoring service level and performance.
Phase 6: Closeout—the environment changes, the need for the service diminishes, or performance deficiencies are noted necessitating a replacement or termination of the IT security service. Section 4.6 discusses the closeout and retirement of a service and/or service provider using the exit strategies developed in Phase 3.
(source: NIST 800-35 - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-35.pdf)
A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the customer's security team to document and improve the current and desired security capabilities and plans. Our customer had two key challenges:
- Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
- Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities and the associated controls supported by the new activities.
The customer engaged SDS to collaboratively develop cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to aid the customer's security program.
Over a period of months, SDS partnered with customer security leadership to define desired security program strategy, objectives and goals. The service areas in-scope include a number of processes such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.
SDS began creating a number of documents that defined areas within the security program including a RACI chart designed specifically for the customer's cyber security team. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and executive leadership to reach a final cyber security service catalog framework. The SDS team developed the content leveraging both industry best practice, SDS experience and
and feedback from the customer's security team.
Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels (RACI). SDS also noted areas missing formal responsibilities for the security team that lead to more reactive response and "firefighting" in turn draining current resources. The existing approach used by the customer, prior to the final adoption of the SDS service catalog, was far less strategic and not optimized. With the presentation of our findings conversation with leadership and it was clear to all parties involved for the need to coalesce security team processes/controls into a centralized service catalog.
Consulting with customer's security team lead to the creation of a services catalog that defined the required activities and assigned team personnel responsibilities to these activities. As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team. Business teams now understand how to engage and who to speak with regarding various projects and customer engagements to meeting both internal and external security requirements.
Impact on the Customer's Business
Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.
With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed to meet business expectations while aligning existing security team personnel.
To learn more about automating a cyber security services catalog reach out to our team at: firstname.lastname@example.org or visit the TrustMAPP website.