Analysis of the current situation

Of all the defined tasks, the analysis of the current situation took the longest to complete. This was due to a number of factors:

5.3 Analysis of the current situation 111

Analysis of current situation

Definition of the target situation

Definition/prioritization of strategic initiatives

Distribution of draft strategy

Month 0 1 2 3 4 5 6 7

Business strategy requirements

Legal and regulatory requirements

Requirements due to external trends

Agreement/Publication of final strategy

Approval Figure 5.1 Producing the information-security strategy.

◗ The overall standard of documentation was poor. Many documents had either been lost or not produced in the first place. Where docu-ments did exist, they were often out of date.

◗ Stakeholders were initially cautious in their observations, but became more open as the initiative developed.

◗ Many of the staff that had contributed to the earlier initiatives had since left the organization.

◗ Despite efforts to present the exercise as an objective analysis, staff from the IT security unit clearly felt exposed to criticism and tended to react defensively to identified issues.

In addition to confirming known issues, this analysis revealed a wealth of minor details, most of which were subsequently tracked using the issues database. Table 5.1 lists the only three new major issues that were defined.

The first issue was rated as medium priority because a temporary solu-tion was identified in agreement with the IT department. The other two issues were causing a certain level of inefficiency, but neither was business critical. Equivalently, there were good arguments for implementing solu-tions to these problems as soon as possible, hence the rating of medium priority.

The final deliverable of this exercise was the list of strategic requirements summarized in Table 5.2. These requirements were formulated to cover the medium and low priority issues identified in Chapter 4 (for which no cor-rective actions have yet been defined) and the three issues identified in Table 5.1. In addition, a strategic requirement was added in the area of user awareness, as the work carried out in the consolidation period in this area only provided a short-term solution to an important problem.

In Table 5.2, strategic requirements have been mapped back to issues by referring to the identifiers of the latter. Although this has been done here by referring to a section in the previous chapter of this book, in reality, this Table 5.1 New Major Issues

Id Issue Priority

I18 Whereas there was a clear IT owner for most types of technology, certain types of systems (notably the more recent additions, such as the application server) had not been designated an owner. As a result, many necessary security enhancements had not been made to these systems.

Medium

I19 Although the point was not specifically raised by any of the

stakeholders, a review of past events demonstrated a clear requirement for a secure e-mail implementation for certain groups within the enterprise. This mainly affected executive management, human resources, and audit.

Medium

I20 Several departments had experienced difficulties in transferring information from the public Internet workstations to the internal network. Many users had a clear business requirement to do this, as information that was previously distributed on storage media (such as compact discs) was now only available over the Internet.

Medium

5.3 Analysis of the current situation 113

Table 5.2 Strategic Requirements Arising Out of Analysis of Current Situation

Id Strategic Requirement Underlying Issue

R1 The organization shall design, agree on, and implement a new approach to information security, which is in line with business expectations, pragmatic and capable of dealing with day-to-day issues, and aligned with the approach to physical security and human resources.

Issues I7 and I11, Section 4.4.4

The current approach to information security is generally thought to be too theoretical. A more hands-on approach is required. There has been no attempt to create a coherent framework including physical security and personnel issues.

R2 The organization shall ensure that all responsibilities within the area of information security are agreed on and documented.

Issues I8 and I13, Section 4.4.4 plus I18

Responsibilities are poorly defined and do not match what happens in reality. In addition, the current set of responsibilities is

incoherent across the enterprise. Also, certain IT systems have no designated owners.

R3 The organization shall define, agree on, and implement an approach to risk management in the

information-security domain.

Issue I9, Section 4.4.4

There is no collaboration between the risk-management group and the IT security group.

R4 The organization shall ensure that current security administration procedures are modified and/or automated to ensure sufficient scalability for projected requirements.

Issues I10 and I13, Section 4.4.4 Existing procedures for security

administration are based on those originally defined for the mainframe. These procedures do not scale well and are often ignored. There is little automation in place. Administration of access rights on the mainframe is currently carried out by the audit department.

R5 The organization shall design, agree on, and implement an IT security architecture capable of providing core security services in an efficient manner.

Issues I16 and I17, Section 4.4.4 plus I20 The current IT infrastructure is complex and there is little product standardization. The existing deployment of security tools is very limited and economies of scale have not been realized. In addition, transferring information from Internet workstations to the internal network is problematic.

R6 The organization shall design, agree on, and implement an approach to integrating information security into the product development and acquisition life cycle.

Issues I14 and I15, Section 4.4.4 There has been no attempt to align information security with software development and purchasing activities. In addition, testing is carried out in less secure environments using production data.

R7 The organization shall design, agree on, and implement a secure mail solution for those groups having a requirement for confidential mail exchanges.

Issue I19

Certain groups within the enterprise require confidentiality protection of mail. This mainly affected executive management, human resources, and audit.

R8 The organization shall design and execute an information-security training program with the aim of making staff aware of the important issues and the approach the organization will take to resolving them.

Issue I3, Section 4.4.4

There is little dialogue between the security department and other departments. The main point of contact is a yearly presentation, which is largely out of date.

would involve referencing the appropriate document. This technique of mapping requirements to issues is extremely useful, and initiatives will be mapped to requirements in a similar manner. Throughout the strategic-planning cycle, these references can be used to relate ongoing activities back to the issues they are designed to resolve. This is a good technique both for checking coherence and for keeping an eye on how risk is being mitigated.

Similarly, at the end of any given strategic initiative, such references provide a mechanism for measuring to what extent the initiative has resolved the underlying issues.

Of the medium- and long-term issues identified as a result of discussions with stakeholders, issue I12, insufficient security of mobile devices, could not easily be associated with any strategic requirement. This issue was therefore resolved separately and progress was tracked using the issues database introduced as a quick win in the consolidation period.