A Proactive Approach to IT Security Management

{LANG_NAVORIGIN} Security Management
Steve Purser 02/28/2005

6.Combining policy with risk management

Accepting compromise is only acceptable from a business point of view if all concerned parties are aware of the different alternatives and are reasonably informed as to the opportunity and risk associated with each. In this context, ‘reasonably informed’ implies that decision-makers should be aware of the quality of the information that is at their disposal (it certainly will not be perfect).

One way of achieving this is to supplement policy requirements with risk management techniques that are capable of producing results in a short timeframe. Business alternatives can then be compared not only on the basis of opportunity and policy requirements, but also on the basis of risk, and can therefore be ranked taking account of current constraints. This approach reduces the number of mandatory policy statements to a strict minimum compatible with legal and regulatory restrictions and results in a more flexible approach to IT security risk management.

In contrast to traditional risk analysis methods, such as Marion and Melissa, Fast Risk Analysis techniques are usually applied to highly specific domains and are based on extremely simple methods. A particularly effective table-driven technique consists of listing the most important risk scenarios in a first table, and a summary of services deployed to mitigate the risks in a second table.

The first table has the structure (Risk-id, Threat, Probability, Impact)

Where:

• Risk id is an identifier for the risk.
• Threat is a textual description of the threat scenario.
• Probability is a measure of the probability of occurrence (HIGH, MEDIUM or LOW)
• Impact is a measure of the impact (HIGH, MEDIUM or LOW).

The second table has the structure (Risk-id, Mitigation, Residual Risk)

Where:

• Risk id is a reference back to the first table.
• Mitigation is a description of the services deployed to mitigate the risk.
• Residual Risk is a measure of the risk remaining after mitigation (HIGH, MEDIUM or LOW).

If a particular alternative is deployed, the associated residual risk should be signed off by the appropriate business line.

7.An approach to planning

Given that there will always be a need to achieve a balance between short-term and long-term requirements, the approach to planning is a critical success factor in rolling out a defined strategy.

As in any discipline, planning has to take account of a diverse list of factors, which will influence the end result. In the IT security domain, such factors include:

• Achieving short-term and long-term goals.
• Allowing for unexpected events (contingency).
• Keeping staff motivated.
• Maintaining and developing essential skill-sets.
• Providing adequate operational coverage.
• Ensuring that any change in requirements is captured and taken care of.

The following techniques can be useful in structuring the approach to planning:

Resource allocation planning
In order to allocate resources effectively, it will be necessary to estimate what percentage of effort can be spent on long-term and short-term initiatives. This ratio is then used when preparing detailed plans.

Exploiting synergies
Looking for synergies between projects can greatly reduce resource utilisation. Similarly, resources with specific skill sets can be used in different environments (development, test and production).

Exploiting synergies with business projects is a good way of obtaining budgets for infrastructure-related projects.

Prioritization
Prioritization is an extremely powerful planning tool as, correctly used, it allows us to make the most efficient use of resources. One of the keys to successfully using prioritisation is to provide ‘checkpoints’ within projects – points at which the effort can be suspended. This enables resources to be moved to other activities without destroying work in progress.

Fast risk analysis is a useful tool in deciding on priorities as it provides a picture of risk, which takes account of current constraints.

Phased delivery
Phased delivery methods are useful for a variety of reasons:

• They capture the ‘80% complete syndrome’ quickly (something is either delivered or it isn’t).
• They may allow a subset of the deliverable to be used whilst the rest is in progress.
• They provide checkpoints for suspending the work.

A strategy of delivering small solutions regularly can help the IT security manager gain credibility in environments where security is seen as a brake, rather than as an enabler.

People development
Losing resources is painful. Losing highly-skilled resources is even more painful and can seriously delay projects. It is therefore important to take account of the requirement to develop people in the planning exercise.

Where external service providers are being used, care should be taken to ensure adequate transfer of knowledge to permanent staff. In addition, permanent staff should not feel that they are being given the routine work whilst service providers carry out the more challenging tasks.

Checkpoints with stakeholders
Checkpoints with stakeholders are necessary to detect and adapt to changes in requirements or mis-understandings. It is a good idea to plan for such checkpoints explicitly.

8.Conclusions

As markets become increasingly competitive, companies will be forced to change their core processes in order to increase or maintain their market presence. In general, this will involve being able to produce goods and services more quickly and at reasonable cost.

In order to remain viable, the IT security approach will have to be sufficiently flexible and scalable to cope with these changes. For most companies, this means that current processes need to be re-examined and adapted to these new requirements. As a first step in this process, an analysis of current processes provides valuable information on where improvements should be introduced.

A successful framework for IT security management should enable the IT security unit to react quickly to business requirements. A well-defined strategy will aim to achieve this by putting in place processes and techniques, which are global in reach and scalable. This leads to standardisation and economies of scale and permits better risk mitigation due to an end-to-end view of the problem.

Increasingly severe time and cost constraints will require organisations to define a suitable compromise between risk and opportunity, rather than relying on axiomatic policy statements to decide on the security approach to a given problem. Fast risk analysis is a useful technique for evaluating the risk associated with different alternatives and, when combined with an analysis of the opportunities, will help managers select the most appropriate solution.

A structured approach to planning, and notably appropriate use of prioritisation, will enable IT security managers to successfully balance short-term and long-term requirements and thereby steer the organization to a state in which it can concentrate largely on structural intiatives.


Steve Purser is Director ICSD Cross-Border Security Design and Administration at Clearstream Services, Luxembourg. Steve is also a founder Member of the “Club de Sécurité des Systèmes Informatiques au Luxembourg (CLUSSIL)” and author of « A Practical Guide to Managing Information Security (Artech House, 2004).














Your IP address will be sent with this e-mail

From e-mail to e-mail