Information security objectives - Becoming of Age

by Ash — on  ,  , 

cover-image

Overused reference to Sun Tzu

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.

Planning

I admit planning is boring and operations usually demand immediate actions. Yet, to ever-present surprise, delay caused by proper planning for a week or two may save months in future. More often though, folks running security ops fail to see bigger picture beyond their daily routine tasks. Picture that would show them how important it is to understand the real reason for their existence in company’s organizational structure. So, when you begin your journey in the new role of #infosec manager take a seat and list out top areas that you will concentrate your efforts on for next two or three years.

I see the real benefit of the strategy plan in the definite road map of what I am trying to achieve. It is useful as it helps to identify what is already in place and what should be done. Part of this planning should be reserved for defining your objectives.

My common top areas of concentration are:

  1. Manageable Information Security Management System, or ISMS if you like;
  2. Risk management framework;
  3. Detection and monitoring capability;
  4. Incident management program;
  5. Security awareness program

You may identify other areas of your efforts, just try to keep them close to five or so. Budget is always limited and most probably you will not have a luxury of hiring 15 people for your security function. Therefore, your strategy should accommodate down-to-earth long-term objectives. Be honest with your capabilities and try not to overshoot in estimation of what and when you are trying to achieve. Shooting for the stars without a chance of defying gravity will just end up in a big ball of fire.

The first two look like the same parts of one bigger objective. I do separate these items because I am trying to avoid objective covering area too vast to do it right. ISMS should encompass your approach to the overall security management, it should include developing processes, procedures and documentation supporting your daily and routine tasks. It may be built based on ISO 27K or COBIT 5 for Information Security, whatever suits your organization. Risk Management may and should be part of overall information security management system, however, because risk management process and framework are complex to design and implement, I suggest to approach it as a separate objective. In other words risk management should not become a file of recorded security fails with management sign-off. It should be an independent process triggered within ISMS and feeding its output back to your ISMS for other processes to correct or mitigate risks.

Unless you are fully equipped and adequately staffed and supported by budget, there is no point in setting objective to set up full scale Security Operations Center. That is why in the beginning I would concentrate on developing detection and monitoring capability. Verizon DBIR in 2016 shows that IT continues to struggle with detection and therefore with response. Most commonly, security teams put in charge of internal breach discoveries lack the efficiency of fraud detection or law enforcement teams. Knowing that, I begin with setting up capability based on mix of open source and COTS software as tool-base and training and development plans for personnel.

Incident management program development is the mammoth task equal to risk management program in its complexity. Despite huge number of detailed documents, IT pros still struggle to implement adequate program to manage incidents or events. Trends are pointing out that security pros need to concentrate efforts on response, therefore it is appropriate to set objective related to incident management program. Accept the fact that sooner or later your organization will get compromised. What matters is the capability to to detect the compromise and respond to it in a more or less manageable way.

Finally the objective related to awareness program. It is not a secret that initial enthusiasm towards awareness programs has run out. IT pros complain that users just don’t bother and I do agree with their sentiments. At this moment security awareness is perceived as more of a compliance nuance rather than a tool to improve security. “So why than this objective?” you might ask. Because awareness program helps communicate the most important message: “Security department is here, it works and it is reachable”. It is true that users will continue ignore tips and newsletters you mass-mail every month. But the idea that there is someone in the company taking care of security is important. It also helps communicate your approach to incident response and establish proper channels of communications from users to your department.

Examples of objectives

Those that were interested in management know that objectives should be smart. Specific, Measurable, Achievable, Relevant, Time-bound, or SMART. An example of smart objective, at least from my point of view, would be:

  • "Implement ISMS based on and certified against ISO/EIC 27001:2013 standard requirement by the end of December 20XX"
  • "By mid October 20XX, upgrade SIEM solution's storage capability to store logs for 3 months available on demand and 1 year off-site as per log retention policy"
  • "Conduct trainer-led information security awareness sessions to cover at least 70% of employees located in HQ building in 20XX"

As you can see I prefer to keep objectives formulated short. Every objective should has a brief description of what it will help to achieve, its benefits. I have also adopted the approach to map initiatives to objectives, so that my efforts have some level of granularity.

The template will look as follows:

Objective #1 - Implement ISMS based on and certified against ISO/EIC 27001:2013 standard requirement by the end of December 20XX

Description: Implement Information Security Management System, based on risk management and international standard ISO/IEC 27001:2013 by the end of year 20XX.

Initiative 1 – Review, update and add a suite of information security policies, standards and guidelines. These documents will formally establish the company’s IT Security Program and set forth employee responsibility for information protection. The policy, standards and guideline framework will also take into consideration compliance to national and group regulations. Key Benefits:

  • Policy based foundation to measure results
  • Consistent application of security controls across the enterprise

Initiative 2 - Develop and establish process to manage information assets in order to capture full picture of the company assets or ensure that they are classified in accordance with the classification policy. Implement automated solution to ensure assets inventory completeness. Key Benefits

  • Identified and managed company assets.
  • Established proper classification levels for the assets
  • Better understanding of the direction of the efforts to apply proper controls

And so on.

Well, that’s about as short intro into planning and benefits of defining objectives as I can write. We went over importance of planning, some areas of effort concentration you may consider, examples and template of objective. I do hope it will help you in your operations.

Mentions

Photo is by Sylvain B on Flickr

Ash's photo Author

Ash

[email protected]

Infosec newbie, no I am not a hacker