As security professionals we still are concerning ourselves with availability. The CIA model was developed and used many moons ago, when a firewall constituted security, and the “A” actually made sense: you had to keep things running. We have evolved, and the issue of availability of resources should be moved to the realm of the CIO. Avoid taking on additional responsibilities that have no impact on security. Defining the responsibilities and roles of the security department/officer is critical. Yes, I did reverse the traditional order: Define your responsibilities first, and then determine the roles that are needed to implement those responsibilities. And remember: don’t take ownership of areas you cannot control.
3 acronyms to embrace
1. ISO 27001 (International Organization for Standardization)
Be careful with this one: I am not referring to ISO 27002, which is a list of controls. I am talking about specifically developing an Information Security Management System (ISMS) that allows an organization to spin the PDCA (Plan, Do, Check, Act) wheel, when changes to the environment occur. The days of a SAS 70 being sufficient are gone; financial institutions are requesting their service providers become ISO 27001 certified. Alignment with ISO 27001 can assist with organizations’ compliance with regulations and provide a framework that can take advantage of efficiency and effectiveness gained from organizational governance.
2. PII (Personally Identifiable Information)
Privacy has been and will continue to be a hot topic; however, if you are an international organization, you definitely should watch for it on your radar. While Information Security may consider privacy part of their jurisdiction, it should be the responsibility of Legal and HR. Information Security should be present to guide the protection of information, but should not own the compliance and/or business processes surrounding Personally Identifiable Information (PII). With the E.U. Safe Harbor framework, many organizations are scrambling to understand what this means, and whether other countries will accept the standard (i.e., Germany), or whether the standard will accept them (sorry, Mexico). One idea which often is overlooked when discussing PII is the presence of a good Incident Response Plan (IRP). Privacy regulations are very particular with regard to PII being leaked or breached. When performing a privacy assessment, be certain to allocate some of your budget to the development/update of your IRP.
3. ERM (Enterprise Risk Management)