The consolidation period can take anything from six months to a year, but it is preferable to keep this phase short wherever possible. Typical detailed objectives of the consolidation period are as follows:
· To identify major stakeholders and ensure their buy-in to a revised approach.
· To understand the strengths and weaknesses of the current approach.
· To classify issues into short-term, medium-term and long-term concerns.
· To provide temporary or permanent solutions to short-term issues and cancelling any ongoing activities not likely to be in-line with the future strategy.
· To identify and take advantage of any 'quick wins' that can be realised before the strategy document is completed and agreed.
· To implement initial management control mechanisms.
· To define the strategy for the next strategic planning cycle.
The first step is critical and is designed to ensure that all the relevant decision makers are identified and involved in the security process. A stakeholder in the information security approach is someone who will be affected by the quality of the result and who therefore has a vested interest to protect. In some senses, all staff are therefore stakeholders in the approach. However, the idea here is to target the decision makers and to ensure that the latter involve their staff. A good technique for identifying stakeholders is to gather and use information on how decisions are made, rather than identifying participants based on more theoretical notions, such as information ownership (this type of exercise can sensibly be achieved later). A lot of useful information can be gleaned here by paying attention to the composition of steering committees, user groups and similar bodies.
The strengths and weaknesses of the current approach are key inputs into the information security strategy and the task of understanding them can be begun before all the stakeholders have been identified, as there will presumably be documentation (such as past audit reports) that needs to be analysed as part of this process. Nevertheless, staff members themselves are likely to provide the most useful information in this regard. It is therefore important to approach stakeholders, once they have been identified, with an eye to listening rather than talking at this stage. In order to get the most out of these meetings, they should be well prepared in advance and the people being interviewed should know what is expected of them. The details of this preparation are largely a matter of personal style, but should include at least some background information, a statement of the objectives and an agenda.
The issues that arise out of the discussions with stakeholders and analysis of the current approach can be classified into those that can be resolved relatively quickly and those that require a more long-term approach. The overall aim will be to resolve the former within the consolidation period and to incorporate the resolution of the latter into the information security strategy. In reality, issues will be ranked according to several criteria including the degree of associated risk, the complexity of the rectification exercise and the extent to which the issue and likely solution is acceptable to the user community. This will then be used as a basis for detailed planning.
The analysis of the current approach will often reveal opportunities to make improvements at little cost. Although the improvements might be small, their implementation does provide positive feedback to other staff and therefore helps build credibility. If it is not already in place, the introduction of fast risk analysis techniques falls into this category. A simple, pragmatic tool for analysing information security-related risk and identifying appropriate mitigation actions is an extremely powerful tool and can greatly assist the decision making process. Another advantage of introducing a viable approach to handling risk is that it removes the urgency of creating a revised information security policy. This is very helpful, as creating workable policies generally requires a lot of time and effort. Other areas in which quick improvements might be possible include the introduction of simple statistics and regular reporting and establishing a schedule of co-ordination meetings within the information security group.
The main purpose of the consolidation period is to establish the environment necessary for achieving long-term success – as such, the consolidation period is the ideal time to improve existing management controls. The main emphasis here should be on ensuring that the current controls support the decision making process and are not just being followed as a matter of routine. Typical improvements here include:
· Ensuring that meetings have a well-defined objective and result in actions.
· Implementing methods for tracking progress against existing plans and milestones.
· Implementing simple metrics so as to make the process measurable.
It is also worth verifying that management procedures and methods within the department are aligned with those used within the organisation as a whole. If this is not the case, it will be harder to integrate the information security process within the overall business process framework later.
Whilst all the above tasks are important, the major objective of the consolidation period is to define the information security strategy for the next strategic planning cycle. The strategy itself will likely be based on several inputs (see figure 1):
The final strategy is a coherent, high-level description of the strategic objectives and how they will be achieved. Typically, the strategy will provide a prioritisation of major initiatives and an idea of how the objectives will be accomplished as a function of time. This high-level planning will result from a consideration of many factors, including the ability of individual initiatives to mitigate risk, resource considerations and possible synergies with other initiatives. However, the strategy will not contain any detailed planning as this is likely to change as the different business priorities change to reflect the way markets are evolving.
Steve Purser is the director ICSD Cross-Border Security Design and Administration at Clearstream Services, Luxembourg and is also a founder member of the Club de Sécurité des Systèmes Informatiques au Luxembourg (CLUSSIL). The themes of this article are developed further in the author's newly published book "A Practical Guide to Managing Information Security" (Artech House (2004)).