From: www.itworld.com

Building C-level confidence with a security blueprint

by Samir Kapuria

September 25, 2008 —

IT organizations deploy a number of strategies and frameworks to assess their organization’s risk and security posture – everything from ISO to COBIT. But while these frameworks are often helpful to security professionals and IT risk champions, they do little to help communicate the business value of IT and risk to various business leaders within the organization. Here's where a security blueprint can help.

A comprehensive security blueprint can help close the gap between IT and business by enabling an organization to evaluate its IT security posture and communicate the results back to business leaders. Using such a methodology, IT professionals assess the maturity of security program capabilities, identify areas of strength and opportunities for improvement, recommend an action plan, and communicate the overall security posture and plan of action to executive management.

A complete security blueprint includes an assessment of strategy, operations, and technology, and can be conducted by evaluating the following seven key elements contributing to an organization’s security and risk posture:

• Network and Systems Security: The Foundation. Have a clear understanding of how the organization’s infrastructure is architected. For example, what is the technology deployed for prevention, detection, and management around the infrastructure systems and the network.
• Application Security: Both Internal and External. In order to maintain an optimal security posture, management should assess both internal applications, as well as those procured by third-parties. A solid understanding of the risks associated with each application will help eliminate potential risk before applications are deployed.
• Data Security: Protecting Critical Assets. Data is considered the most important asset of an organization. Management needs a plan for protecting and recovering data throughout the lifecycle. Data should be kept safe from corruption and also suitably controlled.
• Secure Operations: People Drive Process. Managing and protecting assets includes a method to distribute products and services, and a process created to drive change among people. In many organizations, operations are the weakest link, yet it is also the first and last line of defense.
• Business Continuity: Ensuring Uptime. Understanding an organization’s availability requirements is fundamental to establishing priorities. There should be a clear plan to keep the business up and running, despite any potential threats or outages.
• Security Strategy: Aligning with Business. Security strategy should always be aligned with an organization’s business strategy. Security professionals should ask the following questions: What do I want to protect? How do I want to protect it? What are the metrics to evaluate for success?
• Security Organization: Sharing Risk. A security organization should be aligned with the business goals and objectives. Security professionals should be able to illustrate how their programs and initiatives will drive the business goals and objectives.

When to Implement a Security Blueprint

There are several scenarios in which a security blueprint can be particularly helpful in balancing an organization’s overall IT risk and security management program. For example, when an organization needs to evaluate the current state of their existing program capabilities and define their desired state of program maturity, applying a blueprint approach provides a portfolio model for aligning the value of security with business objectives and associated risk tolerance.

Another security blueprint use case might be during a merger or acquisition when an organization will want to examine its maturity level with regard to security and risk. It might plan to use some integration dollars to bolster the acquired company’s security posture to bring it in-line with the desired level. In this case, a security blueprint will identify the areas that need the most improvement and where the strengths are.

Similarly, for a large organization with a number of subsidiaries, the security blueprint process can examine each business unit, along with the parent company, to determine the strengths of each. Rather than the parent company investing and bolstering each area to one level, it can borrow and implement programs from its subsidiaries. This allows executives to take what exists and leverage it across the board, rather than investing in designing a program.

Conclusion

A security blueprint gives an organization a good understanding of the breadth of information security capabilities that should exist within the organization. It also allows the executive team to visualize and measure an overall information security program.

By evaluating the seven key elements that address the strategic view, the operational view, and the technology view, executives, security practitioners and business stakeholders can evaluate overall capabilities and align their security program portfolio with the risk expectations of their business.

Samir Kapuria is managing director of Symantec Advisory Consulting Services