Developing an Information Security and Risk Management Strategy (Part 2)

by [Published on 5 March 2014 / Last Updated on 5 March 2014]

In this article we will focus on elements that will help develop a comprehensive security strategy for your organisation.

If you would like to read the first part in this article series please go to Developing an Information Security and Risk Management Strategy (Part 1).

Introduction

In the previous article we focused on how to develop a security strategy by checking and assessing security posture and establishing asset value. Assessing the security situation (Exposure) and how to analyse the security information gathered. This second article will focus on the remaining elements that will help develop a comprehensive security strategy for your organisation.

Step Four: Plan and Develop a Security Strategy

We have gone through the detail of gathering and analysing the security information in Part One of the article. The next step involves taking the information gathered and analysed and converting it into a workable and pragmatic, balanced security strategy.

Converting your analysis into a security strategy. This involves defining an in-depth analysis of the existing security posture of the organisation and outlining an implementation roadmap for achieving the long term security goal. It’s essential to determine where you are with your security strategy and where you want to go. The security strategy provides scope and direction for all future security activities. It also describes the risk appetite of the organisation.

This process is about achieving a security balance and mapping this balance to the risk appetite of the organisation and based on this a reasonable budget can be established that is backed by management. Remember that without management buy in, this whole process is futile.

A security program should be developed with a top down approach in mind. Through the program being initiated and supported firstly by top management and then worked through to middle management and then staff, the security program will have the best chance of being effective. This type of approach, rather than a bottom up approach, ensures that the people most responsible for protecting the enterprise assets are driving the program forward.

The roadmap is necessary to portray the steps required for achieving the goal. The roadmap should include milestones, deadlines, deliverables, inputs required, resources and constraints. It should also define the communication plan. The roadmap will assist in moving the organisation from the current security state to the desired security state.

Ensure that the security strategy is both reasonable, actionable, balanced and allows for flexibility to avoid deviation from the plan. The strategy should lend itself to adaptability and is a living document that is reviewed every six months at a minimum.

For a security strategy to be effective it should meet the following conditions:

  • Should be concise, clear and easy to understand
  • The strategy needs to be realistic with regards to the available funding and resources
  • The documented strategy should be compiled in an organised manner that is logically arranged
  • The strategy must be adaptable
  • Must be fully supported by management and team leaders, a top down approach is always favourable
  • Business objective should drive the security strategy creation, implementation and enforcement not the other way round
  • Be used to integrate security throughout business functions and processes
  • Should support regulations and standards applicable to the organisation
  • Should be continuously reviewed and adapted if necessary
  • Should be easily accessible
  • Should be created with the intention of having it in place for the long-term

Once the security has been implemented and risk mitigated it’s important to formalise a baseline. The baseline will act as a consistent reference point used as a comparison for future changes. A baseline can be defined per system type, which shows the existent security settings and protection levels for each system. Whenever changes are made the baseline can be viewed to ensure that the baseline level of security is continuously met. By ensuring the baseline security is always where it should be security vulnerabilities are reduced.

Step Five: Strategic Alignment

We always want to aspire to achieve ‘better’ security. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take to get there.

The aim of the carefully planned and designed security strategy is so that it can continually evolve along with changes in the information security environment and organisation. This is the reasoning behind ensuring the security strategy is flexible and adaptable, the security strategy must embrace change for it to be sustainable.

A planned security strategy with structured steps allows for continuous evolution and improved processes and security posture

The core of all security frameworks are similar however its essential to understand that a security program has to have a continual lifecycle that should be constantly evaluated and adapted for improvement.

The life-cycle of a security strategy includes:

  • Planning and organising
  • Implementation
  • Operation and maintenance
  • Monitor, manage and evaluate

Without setting up this continual life-cycle approach the security strategy will probably not be one for the long term which is what we are trying to accomplish. The life-cycle enforces structure to ensure the strategy is ongoing.

To achieve an agile security strategy continuously look ahead and rely on changes occurring and design the strategy to accommodate the changes. Ensure the security strategy is always up to date by looking ahead at possible situations and how you would implement your strategy to address those probable scenarios. Being prepared for multiple scenarios will assist in managing the risk effectively.

The security strategy should be functional at all levels within the organisation. Remember this strategy has to be reviewed at least once yearly and is a living document.

Ensure that the strategy is manageable under changing conditions so that it is sustainable in the long-term. The strategy should be recognised as a continuous process and not a static event.

Step Six: Communicate the Security Strategy (The security awareness program)

It’s important to arm everyone within the organisation with as much security knowledge as possible. To secure the organisation, it’s vital that everyone at all levels of the organisation understands the importance of the security strategy and its impact and support on the processes, assets, data and even people within the organisation and outside of the organisation (customers etc.). Everyone should be made aware of the issues and challenges facing the security program and the strategy must be supported at all levels for it to be effective.

The security awareness program is usually aimed at three audience types: management, staff and technical employees. Each form of communication or training material or session needs to be geared towards the audience type, making clear the responsibilities, expectations and liabilities for each audience. How you communicate the information with management and then technical employees requires two very different approach types to get the message across and keep each audience interested.

For the security strategy to achieve the anticipated results, be sure to communicate the what, how and why of security to all within the organisation.

For effective communication and training it should:

  • Be up to date at all times
  • Use repetition of most important messages in varying formats
  • Be entertaining, positive and humorous
  • Be comprehensive and simple to understand
  • Be enforced and supported by management

Conclusion

Looking ahead at the future of security, security will probably be established by balancing controls and risks to produce a scalable and flexible strategy. More persistent internal monitoring and sharing of security intelligence is probable for a more effective security approach.

Invasive security controls will be limited as organisations are quickly losing control of the devices and services that the workforce uses, as BYOD is becoming the norm. Organisations will likely lose control of the way employees and customers protect information. We are shifting into a time where organisations will probably no longer own their IT infrastructure and thus will no longer have direct control over their security.

It’s important to understand that information security in not only about firewalls, antivirus software and passwords. Information security is a continuous process that requires persistent management. It is the collective strategy and practices involved in identifying and securing the organisations information assets to achieve sustainable, Confidentiality, Integrity and Availability (CIA).

The future of security is one where barriers against malicious acts are low and well planned and managed security strategies is at the forefront of reducing the security risk.

If you would like to read the first part in this article series please go to Developing an Information Security and Risk Management Strategy (Part 1).

The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.

Latest Contributions

Featured Links