Building C-level confidence with a security blueprint

by Samir Kapuria
Be the first to comment | 4I like it!
Tags: risk assessment
More »
on this topic
September 25, 2008, 10:56 AM —  Symantec — 

IT organizations deploy a number of strategies and frameworks to assess their organization’s risk and security posture – everything from ISO to COBIT. But while these frameworks are often helpful to security professionals and IT risk champions, they do little to help communicate the business value of IT and risk to various business leaders within the organization. Here's where a security blueprint can help.

A comprehensive security blueprint can help close the gap between IT and business by enabling an organization to evaluate its IT security posture and communicate the results back to business leaders. Using such a methodology, IT professionals assess the maturity of security program capabilities, identify areas of strength and opportunities for improvement, recommend an action plan, and communicate the overall security posture and plan of action to executive management.

A complete security blueprint includes an assessment of strategy, operations, and technology, and can be conducted by evaluating the following seven key elements contributing to an organization’s security and risk posture:

  • Network and Systems Security: The Foundation. Have a clear understanding of how the organization’s infrastructure is architected. For example, what is the technology deployed for prevention, detection, and management around the infrastructure systems and the network.
  • Application Security: Both Internal and External. In order to maintain an optimal security posture, management should assess both internal applications, as well as those procured by third-parties. A solid understanding of the risks associated with each application will help eliminate potential risk before applications are deployed.
  • Data Security: Protecting Critical Assets. Data is considered the most important asset of an organization. Management needs a plan for protecting and recovering data throughout the lifecycle. Data should be kept safe from corruption and also suitably controlled.
  • Secure Operations: People Drive Process. Managing and protecting assets includes a method to distribute products and services, and a process created to drive change among people. In many organizations, operations are the weakest link, yet it is also the first and last line of defense.
  • Business Continuity: Ensuring Uptime. Understanding an organization’s availability requirements is fundamental to establishing priorities. There should be a clear plan to keep the business up and running, despite any potential threats or outages.
  • Security Strategy: Aligning with Business. Security strategy should always be aligned with an organization’s business strategy. Security professionals should ask the following questions: What do I want to protect? How do I want to protect it? What are the metrics to evaluate for success?
  • Security Organization: Sharing Risk. A security organization should be aligned with the business goals and objectives. Security professionals should be able to illustrate how their programs and initiatives will drive the business goals and objectives.

When to Implement a Security Blueprint

There are several scenarios in which a security blueprint can be particularly helpful in balancing an organization’s overall IT risk and security management program. For example, when an organization needs to evaluate the current state of their existing program capabilities and define their desired state of program maturity, applying a blueprint approach provides a portfolio model for aligning the value of security with business objectives and associated risk tolerance.

Another security blueprint use case might be during a merger or acquisition when an organization will want to examine its maturity level with regard to security and risk. It might plan to use some integration dollars to bolster the acquired company’s security posture to bring it in-line with the desired level. In this case, a security blueprint will identify the areas that need the most improvement and where the strengths are.

Similarly, for a large organization with a number of subsidiaries, the security blueprint process can examine each business unit, along with the parent company, to determine the strengths of each. Rather than the parent company investing and bolstering each area to one level, it can borrow and implement programs from its subsidiaries. This allows executives to take what exists and leverage it across the board, rather than investing in designing a program.

Conclusion

A security blueprint gives an organization a good understanding of the breadth of information security capabilities that should exist within the organization. It also allows the executive team to visualize and measure an overall information security program.

By evaluating the seven key elements that address the strategic view, the operational view, and the technology view, executives, security practitioners and business stakeholders can evaluate overall capabilities and align their security program portfolio with the risk expectations of their business.

Samir Kapuria is managing director of Symantec Advisory Consulting Services

» posted by Amanda Jones

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Build your tech library with our book giveaways.

Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams

Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!

 

Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media

Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
More Resources