In a nutshell, the goal of every strategic planning period is to ensure that the approach to information security is (and remains) integrated into the core processes of the organisation in such a way that decisions are made by the right people at the right time with the right results.
The approach described below is based on the production and maintenance of four core deliverables:
The information security strategy.
Policy documents and supporting standards.
The IT security architecture.
User awareness and training material.
The first of these deliverables, the information security strategy, has been briefly described above, due to the fact that the first such strategy is typically produced as part of the consolidation period. The information security strategy is the roadmap for the foreseeable future and outlines how the organisation intends to progress along the path of maturity illustrated in figure 1. In particular, the information security strategy explains how the other three deliverables will evolve over time. The second two items in the list above are often collectively referred to as the control framework, whilst the last item is concerned with making users aware of the framework and how to use it to maximum advantage.
The control framework consists of all the policy statements, standards, procedures, working documents and technical measures put in place to secure day-to-day operations. The control framework may be thought of as the slow moving side of the information security process and risk management as the dynamic side of things. This framework changes slowly as a result of strategic initiatives and the extent to which it is capable of successfully responding to the day-to-day needs of the organisation is a good measure of the organisation's maturity. Risk management is the primary tool for verifying the framework in a particular context and for indicating where modifications and/or tactical solutions are necessary. As organisations become more mature, it is expected that the control framework will be driven more by risk assessment than by policy, reflecting the ability of the organisation to quickly react to changes in the business environment. These ideas are illustrated by figure 1.
Figure 1: Relating policy to risk asessment
Policies and standards provide a framework for information security by defining rules and guidelines for handling everyday situations. Policy statements are used to define high-level requirements, sufficiently generic to be applicable in a variety of circumstances. Standards and procedures on the other hand are used to translate these high level requirements into implementation details. By interpreting policy within a defined operational context, standards and procedures provide an approximation to the best response to any particular problem. One of the characteristics of well-trained staff is that they are capable of recognising when a standard procedure is failing to mitigate risk correctly and are able to react accordingly.
Effective and efficient procedures are one of the cornerstones of a mature control framework, but it does not usually make sense to develop such procedures without taking due account of the technology that will support them (similarly, when designing technical solutions it is important to realise how existing procedures will be impacted). The technical tools used to secure the day-to-day environment are therefore an integral part of the control framework. One way to ensure that procedures and technical solutions are closely aligned is to define and implement an IT security architecture. Note that in many cases this does not necessarily involve a lot of additional expenditure, but is more an exercise to make better use of the tools already acquired.
A well designed security architecture brings many advantages to the organisation, including:
Reduced complexity through standardisation.
The possibility to improve end-to-end security.
The possibility to protect platforms that are vulnerable (but which cannot be further secured for one reason or another) by using compensating controls.
Decreased time to market for new applications.
Developing a security architecture is not easy however and the result should reflect the concerns of the organisation and the risk profile it has chosen to adopt. One way to achieve this is to produce a simple model of the current environment and to conduct a risk analysis against this model. By considering risks across the infrastructure, it should be possible to derive a set of logical components that implement a suitable balance between platform-specific security and 'architectural security'. The idea is that security services provided by the architecture will be provided in a normalised way to all future applications, thereby avoiding duplication of effort and all the additional complexity that this often brings with it.
Last, but certainly not least, the strategy should address the issue of awareness and security-related learning, even if the approach is to maintain what has already been achieved. The fact that many organisations are not giving this subject the attention it deserves is illustrated by a number of recent surveys in the area of information security. Ernst & Young's 2003 Global Information Security Survey for instance, observes that only 29% of organisations surveyed list employee awareness and training as a top area of information security spending . Similarly, the information security breaches survey 2002 , sponsored by the Department of Trade and Industry in the UK, reports that only 28% of UK businesses make staff aware of information security related duties on joining or as part of the induction process. Furthermore, according to this study, 13% of UK businesses have no procedures at all for educating staff on their responsibilities in this area.
The correct response to this problem starts with a recognition of the fact that security awareness, although important, is not sufficient in itself to ensure that staff have the knowledge required to react correctly in the face of an incident. Basic awareness training should be supplemented by more specialised training directly related to the function of the employee. This will almost certainly require a way of working together with business lines where both parties are learning. In addition, there are many other informal communications channels within most organisations that can be put to use to train staff. Indeed, every point of contact between the information security department and the user community provides an opportunity to pass a message. Viewed in this way, user awareness and security training is an ongoing activity that is an integral part of day-to-day business, rather than something that is achieved via a series of formal presentations once a year.
 "Global Information Security Survey 2003", http://www.ey.com/global/download.nsf/International/TSRS_-_Global_Information_Security_Survey_2003/$file/TSRS_-_Global_Information_Security_Survey_2003.pdf, Sept 2003.
 "Information Security Breaches Survey 2002", http://www.pwcglobal.com/Extweb/ncsurvres.nsf/docid/845A49566045759E80256B9D003A4773, Sept 2003.
Steve Purser is the director ICSD Cross-Border Security Design and Administration at Clearstream Services, Luxembourg and is also a founder member of the Club de Sécurité des Systèmes Informatiques au Luxembourg (CLUSSIL). The themes of this article are developed further in the author's newly published book "A Practical Guide to Managing Information Security" (Artech House (2004)).