A Holistic Approach to Information Security
By Chad Boeckmann, CISA, CISSP (CEO, Secure Digital Solutions)
In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a better “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.
CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress, the state of the information security program, to other executives and the board of directors. We speak with CISO’s from Fortune 500 companies and many mid-market companies. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.
To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:
Let’s say we want to measure the process called Access Control. Access Control Management is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes from COBIT. So for Access Control Management we want to understand the level of performance of this process across the six major attributes described in COBIT 4.1 using a standard maturity scale of 1 through 5.
- What is our level of maturity of Awareness for Access Control Management across our environment?
- What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
- What is our level of maturity of Expertise for Access Control Management across our environment?
- What is our level of maturity of Accountability for Access Control Management across our environment?
- What is our level of maturity of Automation for Access Control Management across our environment?
- What is our level of maturity of Measurability for Access Control Management across our environment?
If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then focus can be applied to improving the process towards Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.
This is how to create alignment with the business while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs. To see this methodology in action, take a look at a 2-minute video demonstrating Accliviti, a platform we developed to holistically manage information security.