Management Commitment to Security
How Important Is Security Management?
Organisational leaders, including board directors, business executives, chief information officers, and managers of corporate audit, security, legal, line-of-business, privacy, and supply chain, all must play a role in making and reinforcing the business case for effective security. Trust, reputation, brand, stakeholder value, and customer retention are at stake if security management is performed poorly. Attentive organisations are much more competent in using security to mitigate risk if their leaders treat it as essential to the business and are aware and knowledgeable about security issues.
It is difficult, if not impossible, to sustain security improvement and move it into everyday organisational culture and practice without senior management commitment and ongoing reinforcement.
What Is The Purpose Of A Security Policy?
Clear, concise policies serve to enact the intent of the organisation and help fulfil organisational objectives. A policy typically outlines specific requirements and rules that must be met, including appropriate behaviour and consequences for unacceptable behaviour.
A Security Policy Specifies:
Security Policy Categories
Acceptable Use (for users, system administrators, security personnel, and outside parties)
Remote Access
Information Protection
Perimeter Protection
Host Security And Application Security
Configuration Management
Change Management (patch management)
Virus Protection
Identity Management (provisioning, use of passwords, other means of authentication)
Requirements For All Devices With Network Access
Areas of Security
You need to identify the organisation’s most critical assets and where those assets are most at risk in order to help select and prioritise security practices to implement during deployment and operations.
It is important to note that risk assessments must be performed on a periodic basis (such as annually), as the risk and threat landscape is constantly changing. A high-priority risk today (and the security controls necessary to mitigate it) may be overtaken by an even higher priority risk tomorrow.
As with any project, a strategy and plan are necessary to successfully deploy and operate systems and software to meet security requirements and sustain a desired security posture. Security strategies and plans can be integrated into organisational strategic and operational plans or they can be written as stand-alone documents.
Security plans describe and specify the following topics:
- Program/project management
- Standard operating procedures and processes
- Security budget
- Security tasks
- Security roles and responsibilities
- Security staff competencies
- Definition of what constitutes acceptable performance
A popular expression is “what gets measured, gets done.” Some form of security measures is necessary to determine if deployed security practices are meeting security requirements and how well they are doing so. Metrics, in part, serve to enact policies, plans, and strategies and to indicate progress (or not) toward mitigating security risks.
Having well-defined measures in place and regularly reported serves to direct the organisation’s attention based on the results. Visible measures positively influence human behaviour by invoking the desire to succeed and compare favourably with one’s peers.
The extent to which each of the prerequisites described above is in place depends on the organisation’s view of security’s role in meeting business objectives, including the need to mitigate security risks to critical business assets (information, processes, services, applications, and infrastructure).