Information security is no longer just an IT issue. Today, organizations are relying on technology for business operations more than ever before. At the same time, Internet threats are appearing with unprecedented speed and complexity, putting business assets at increased risk. What's more, government and industry regulations are challenging businesses to meet a range of very strict requirements for information security.
It's all about confidentiality, integrity, and availability. Confidential information must remain, well, confidential; consequently, programs must protect sensitive information from unauthorized disclosure or access. The integrity of information must not be compromised. And it must only be accessible by authorized individuals whenever, wherever, and however they need it.
In response, many businesses are devoting more of their time and resources toward developing an information security program -- a formal, structured program that helps ensure the security of business assets
Developing and maintaining an information security program is a three-step process that is repeated and updated over time. These steps include measuring an existing program, identifying and implementing necessary improvements, and managing the ongoing process.
As the first step, measuring where you are can be completed with the input of key managers who articulate their understanding of the company's strategic objectives, the current business environment and expected industry changes, and tactical issues such as which security issues currently need immediate action and what impact those issues will have on business. Then, by linking strategic business objectives with information security requirements and identifying unique information security challenges and opportunities, a framework is established for the information security program.
It is in the next phase, however, that the rubber really meets the road. That's where the gap between "what is" and "what should be" becomes apparent, and where a roadmap is developed to close that gap.
From here to there
Assessing the current information security architecture is an opportunity to ask -- and answer -- tough questions. Does the organization have a formal information security strategy or plan? If so, how well has it been working, or is its effectiveness even measurable? Has it been independently reviewed, and if so, with what results?
While documenting the existing environment does not need to be detailed and exhaustive, it should provide an accurate snapshot of the state of the program and address the core components of people, processes, and technology. One of the most practicable ways to gauge the effectiveness of a program is to compare it with industry best practices for information security. These best practices also include people, processes, and technology, and scorecards can be useful to make it easier for organizations to grade their programs in key areas.
Once the existing program is assessed, the organization must take a broad and unconstrained look at possibilities for the future security environment. In other words, what would an effective information security environment look like? Perhaps it would have a formal organization responsible for information security, or maybe provide ongoing company-wide security awareness training as a formalized program.
The resulting information security gap highlights the difference between the current and future information security architectures. In analyzing this gap, strategic activities that ensure long-term success are separated from more proximate, pressing tactical issues requiring immediate attention. The gaps are then further categorized into high, medium, and low priorities to make it easier to ascertain the importance of each area in relation to the others.
This gap analysis provides the basis for the final step in the information security program development process.
Closing the gap
With the results of the gap analysis in hand, an information security roadmap can be developed. To ease investment decisions without sacrificing needed security, the roadmap can address future funding issues by using a return on investment approach, by including both one-time and ongoing costs, or perhaps even by comparing the cost of security against the cost of a security breach.
When the most appropriate investment level is determined, strategic initiatives and tactical plans, along with a timeframe for meeting those objectives, can be established. For best results, the roadmap should summarize program activities for the next two years.
For example, a strategic people-related initiative might be to create and staff a separate information security organization within the next year; an associated tactical plan might be to clarify the roles and responsibilities for such an organization in the next two months.
A strategic process-related initiative might be to publish information security policies on the corporate intranet within the next nine months; an associated tactical plan might be to develop a consistent format for those policies within the next three months.
A strategic technology-related initiative might be to have an independent third-party audit of the program within the year; an associated tactical plan might be to document changes to the computing infrastructure in the next 90 days.
With this roadmap complete, a much more detailed implementation plan can be developed that logs progress made toward achieving each strategic initiative and its associated tactical plan. This project plan is also a valuable tool for reporting to management on the steady improvement in information security efforts.
Re-evaluation and review
Just as the security lifecycle is a continuous process of measuring, improving, and managing, an information security program is a dynamic plan that must be regularly reviewed and revised. Constant course correction is necessary as new business challenges arise, and information security must adapt. In fact, even the program implementation process itself typically changes how a company conducts business.
Moreover, achieving a completely secure enterprise is not a realistic goal. Security threats are simply too pervasive and unpredictable and enterprise networks too complex to be able to guarantee the confidentiality, integrity, and availability of all systems and information all the time.
But by continuously implementing incremental security measures that ultimately reduce risk, as presented in an effective information security program, closing the security gap indeed can become a business reality.
About the author:
Mark Egan is Chief Information Officer at Symantec Corp. Egan is the author of The Executive Guide to Information Security, which will be available in November.
This was first published in November 2004