In introducing the subject, we also pointed out that the issues which confront the present-day security manager are varied in nature. In some cases, it is the concepts upon which our understanding of security is based, that are being put into question. The notions of trust and privacy were cited as examples of this type of problem. Business-related issues on the other hand are often easy to understand, but difficult to resolve. In particular, providing a global legislative framework that is capable of supporting global electronic commerce is likely to be a long and slow process and is complicated by different approaches to legislation at the national level. Many of the technical issues are related to the increase in complexity that characterise many modern IT environments. This increase in complexity often results in an insufficient understanding of how the architecture as a whole functions and this is a major obstacle to implementing appropriate security measures. Finally, operational issues reflect the problems that enterprises are experiencing in adapting to changing demands. This is particularly true where the time to respond is concerned.
Given the fundamental nature and complexity of the issues we defined the key principles underlying a risk-based approach, namely:
· The approach should ensure that the level of information security-related risk accepted by the enterprise is in line with business expectations.
· Legal and regulatory requirements must be met and it must be possible to demonstrate this fact.
· It should be possible at all times to react quickly to business requirements, whilst still continually improving the overall control framework. In other words, the approach should allow for both tactical work and strategic work.
· Compromise is essential, but it has to be done in the right way. Fast risk analysis techniques should be used to compare alternative actions on the basis of risk.
Based on these ideas, we then described a two phased approach to re-engineering the way in which information security is managed. Each phase is associated with particular objectives. The major objectives of the initial phase are to establish credibility, to build up a network of contacts, to identify where changes need to be introduced and to wind down any activities that do not make sense from a long-term perspective. The second phase is repeated every three to five years and essentially involves defining, implementing and monitoring a revised strategy.
The information security strategy, the policy and standards, the IT security architecture and user awareness and training material were identified as the important deliverables of the strategic planning cycle. The strategy is to be seen as the high-level roadmap for the current period and outlines how the remaining deliverables will evolve. The control framework consists of all policy statements, standards, procedures and technical measures that are used to secure operations. As enterprises become more mature, they improve the effectiveness and efficiency of the control framework. Risk analysis techniques are used to discover how well the framework performs in a particular context and indicate where supplementary, tactical measures are need to satisfy short-term requirements.
As part of this discussion it was explained that procedures and technical solutions are best viewed as complementary aspects of any approach to mitigate risk. Implementing one without taking account of the impact on the other is likely to result in incoherencies or, at best, inefficiencies. The concept of a security architecture can be used to ensure that both achieve an appropriate response to the perceived threat environment.
Finally, the importance of planning user awareness and training from a long-term perspective was emphasised. This will typically involve far more than the traditional security awareness campaign and should be seen as a series of initiatives (both formal and informal) that aim to introduce the notion of security risk management into the culture of the enterprise.
Steve Purser is the director ICSD Cross-Border Security Design and Administration at Clearstream Services, Luxembourg and is also a founder member of the Club de Sécurité des Systèmes Informatiques au Luxembourg (CLUSSIL). The themes of this article are developed further in the author's newly published book "A Practical Guide to Managing Information Security" (Artech House (2004)).