It Security Each organization is a unique organically evolving conglomeration of various systems where the definition of a system includes how the personnel interact both internally and externally with other systems. In light of this holistic view, how does an organization manage to implement a successful cost effective security framework?CogniVault's approach is to enable an organization to evolve its systems to assure compliance with their statutory and contractual requirements as well as evaluated risks to their organizational valuable assets. Our experience indicates that the easiest path is by tailoring the ISO 27000 series of standards to the individual organization while integrating the mandatory regulatory requirements. This allows the organization to build an Information Security Management System (ISMS) which meets today’s requirements and risks while guiding the organization’s development of cost effective improvements to its individual components as well as the enterprise as it continuously grows and business requirements transform. This does not require the organization to become ISO certified unless there is a compelling need. However, it does provide the necessary scaffolding and roadmap to address all of its components as dictated by imposed requirements and morphing potential risks to its assets. Thus, the first step is identification:
• Organizations Mission, Vision, and Goals;
Once this information has been collected, an initial analysis can determine whether there is a compelling need, and the level of that need, for an ISMS. The organization must determine for itself if there is a strategic requirement to adopt an ISMS. Without implementing a complete ISMS, there are still a number of controls that can be put in place that will significantly improve security such as enhanced inventory management, configuration management, on-going training, logging, internal assessments, etc. However, without a solid structure of policies, objectives, processes, and procedures relevant to managing risk and improving security, there will not be a mechanism in place to provide verification, validation, and response to prevent and/or address an incident that results in significant adverse consequence to the organization and/or its clients. Any ISMS plan needs to be integrated with the other organizational planning, monitoring, and controlling assets (e.g., organizational structure, quality management system, communication management system, service management system, program management system, risk management system). Since the ISMS is designed to protect the organizational assets regardless of the type (e.g., personnel, hardware, software, intellectual property – electronic or paper), the ISMS will be driven through the risk engineering activities and products in accordance with the organization’s overall policies and objectives. The ISMS plan should include, directly or by reference to the appropriate source, the risk management strategy; prioritized value of assessed risks for each asset or group of assets; what metrics are used for monitoring and measuring the risks and corresponding controls; what tactics are to be implemented and resources required if an event occurs; and the monitoring and control feedback loop used during the implementation of the tactics to ensure the effectiveness of the tactics and modifying them as necessary. This then defines the scope, boundaries, and objectives of the ISMS within the organization. The ISMS should be designed to ensure the selection of adequate and proportionate security controls that protect information assets providing confidence to the stakeholders that all necessary and sufficient safeguards are in place and being monitored. After obtaining executive and senior management commitment, a plan to establish and implement policies, objectives, processes, and procedures tailored specifically to the organization’s business needs and objectives is created based on the appropriate standards such as NIST’s Federal Information Processing Standards (FIPS), ISO/IEC 27001 – Information security management systems - Requirements; ISO/IEC 27002 - Code of practice for information security management; ISO/IEC 27005 Information security risk management; ISO/IEC 27033-1 - Network security overview and concepts; and ISO/IEC 27035 - Security incident management. The level of effort required to establish an ISMS is dependent on size of the organization; the ISMS’ scope, boundaries, and objectives; the maturity of the enterprise and its components in regard to its management processes; implementation of standards and best practices; and the commitment of management personnel. The initial identification and gap analysis will be able to determine what will be required, the level of tailoring required, and the effected stakeholders. If the organization has an established quality management system (e.g., CMMI, ISO 9001) which includes solid risk engineering practices, the level of effort to implement an ISMS is significantly reduced. If the organization has established communication and training management systems, this further reduces the effort by assuring that everyone understands and accepts business needs for an ISMS, the control objectives, and controls and the reasons for their selection as well as enabling appropriate training to take place in a timely manner. Once implemented, everyone is trained and knows: (a) their roles and responsibilities for monitoring the ISMS; (b) what the expected outcomes should be from implemented automated systems (e.g., firewalls, anti-virus software, access controls, data logging); and (c) what policies, procedures, and processes are to be followed when. The control metrics are continuously monitored for effectiveness allowing for evaluation of how well the controls achieve the planned control objectives providing a feedback loop for incrementally enhancing the system. This further enables management personnel to evaluate personnel’s roles and responsibilities; the functionality performed by automated systems; and the effectiveness of the policies, procedures, and processes thereby lowering risks through lessons learned and preventative actions. Internal and external audits verify and validate the ISMS system for the purpose of process improvement. |
