A proactive approach: Overview
4.6 The core deliverables
The remaining chapters of this book analyze particular aspects of the strategic-planning cycle in more detail. These chapters have been organized to reflect the core deliverables of the approach, namely:
◗ The information-security strategy;
4.6 The core deliverables 105
◗ Policy documents and supporting standards;
◗ The IT security architecture;
◗ User awareness material.
As these deliverables are the cornerstones of our approach, we’ll describe their significance briefly before proceeding with a more in-depth treatment.
The information-security strategy has already been referred to several times and provides the vision for the next 3 to 5 years. Among other things, the strategy should outline how the other core deliverables will be produced or will evolve during this period.
The way in which policy statements are structured is expected to vary considerably from organization to organization, but in all cases it is impor-tant that policy documents be produced as part of a structured documenta-tion set. Failure to do so is likely to result in confusion, particularly when several policy documents coexist. Policy documents provide a high-level statement of requirements in a certain domain. Most organizations are expected to publish an information-security policy, an IT security policy, or both, and some organizations will opt to produce a hierarchy of policies. As will be explained later, we will favor the less complex approach and aim to produce two policies, one destined for end users and the other destined for IT specialists, taking care to ensure that the two policies are consistent with one another. IT security standards are documents that support policy by providing an interpretation of policy statements in specific situations. Stan-dards add value by encouraging a common approach to dealing with specific issues, thereby reducing complexity.
The purpose of designing an IT security architecture is to ensure the opti-mal use of technology in reducing risk. Using an architectural approach involves taking an end-to-end view of security issues. By designing an architecture that provides a series of mutually reinforcing security mecha-nisms, weaknesses specific to individual systems can be protected by using compensating controls provided by the architecture.
Finally, user-awareness material provides the bridge between the information-security department and other profiles within the organization.
User-awareness material can therefore play a critical role in the general scheme of things by providing one of the most important mechanisms for communicating the approach to the end user. However, user-awareness material is generally only effective if it is supported by a coherent approach to the whole issue of communicating with end users. We will discuss this point in some detail towards the end of the book.
4.7 Summary
In order to be successful, any approach to securing information must be aligned with corporate culture and values. Developing a thorough under-standing of cultural issues and establishing solid interpersonal relationships
take time, but both are a necessary prerequisite to establishing a durable approach; hence, new managers should try to agree to a consolidation period before releasing a long-term strategy.
The main objectives of the consolidation period are to establish a net-work of contacts and to gather sufficient information to allow the definition of the information-security strategy. Managers are also encouraged to devise a personal strategy for success by taking into account such factors as the maturity of the organization and key corporate values.
During the consolidation period, the current situation is analyzed to identify strong and weak points. This involves identifying the major stake-holders in the security process and listening to what they have to say about the current situation and how it could be improved. Ongoing activities that are unlikely to fit into the future strategy are terminated in an organized manner, and a short-term plan is devised to take care of high-priority issues that arise out of discussion with the stakeholders. Any issues that cannot be handled in the short term automatically become candidates for the strategy.
The end of the consolidation period marks the beginning of the first strategic-planning cycle. From this point on, strategic work should proceed via a series of planned cycles, each lasting from 3 to 5 years. This work will constantly compete for resources with more tactical initiatives, and the extent to which the effort should be divided between the two types of work depends on the maturity level of the organization. All strategic cycles except the first encompass four phases: definition of the strategy, production of a strategic plan, execution of the plan, and monitoring. The first strategic cycle is slightly different in that the first phase is built into the consolidation period.
The strategic approach proposed by this book involves the production of four core sets of deliverables: the information-security strategy, the policy documents and supporting standards, the IT security architecture, and the user-awareness material. Subsequent chapters of this book build on the material in this chapter and show how these deliverables can be used to construct a solid and flexible foundation for information security.
References
[1] Taite, J., “Security as a Key Business Enabler,” September 2003, http://
www.scmagazine.com/scmagazine/sc-online/2001/article/035/article.html.
[2] Harris, S., CISSP, MCSE, CCNA, All-In-One CISSP Certification: Exam Guide, Berkeley, CA: McGraw-Hill/Osborne, 2002, pp. 68–69.
[3] Wan, C., “Developing A Security Policy—Overcoming Those Hurdles,”
September 2003, http://www.sans.org/rr/paper.php?id=915.
[4] Parasuraman, N. S., “Production Possibility Frontier (PPF),” October 2003, http://www.geocities.com/parasu41/PPF.
[5] “The Production Possibility Frontier,” September 2003, http://www.netmba.
com/econ/micro/production/possibility.
4.7 Summary 107
[6] Nellis, R., CISSP, “Creating an IT Security Awareness Program for Senior Management,” September 2003, http://www.sans.org/rr/paper.php?id=992.
[7] Pereira, B., “Security Policies: The Right Approach,” September 2003, http://www.networkmagazineindia.com/200211/cover2.shtml.
[8] Hinson, G., “Information Security Jargon Buster,” September 2003, http://www.cccl.net/information/2000_1_jargon_buster.html.
[9] Wenstrom, M.,Managing Cisco Network Security, Indianapolis, IN: Cisco Press, 2001, p. 41.
[10] Bayuk, J. L., “Information Security Metrics: An Audit-Based Approach,”
September 2003, http://csrc.ncsl.nist.gov/csspab/june13-15/Bayuk.pdf.
[11] “Systems Security Engineering Capability Maturity Model,” September 2003, http://www.sse-cmm.org/model/ssecmmv2final.pdf.
[12] “The Information Systems Security Engineering Process, IATF Release 3.1—September 2002,” September 2003, http://www.iatf.net/framework_
docs/version-3_1/index.cfm.