Information Security Risk Management Cornerstones
Enterprises must determine how their security controls and architecture align with relevant regulations, business risk and security requirements from partners or customers. However, most regulations do not offer detailed guidance on what security controls are necessary, but they do require "best practices" and also require partners or providers to have appropriate security practices. Clauses are typically too vague to be adequate.
Key Issue: What are the best practices of a successful information security program?
To be effective, five cornerstones are needed for any information security risk management program:
Note: ISO 17799 is a comprehensive set of guidelines offering a code of practice for security management. The objectives of ISO 17799 are to provide a basis for organizational security standards and to enable the establishment of mutual trust among networked sites. Many information security service providers offer services associated with ISO 17799.
As many of five cornerstone components as possible should be implemented to make the most effective use of limited funding in the information security and business continuity area.
Information Security Certifications
Certifications for information security professionals can be divided into three categories (see Figure 1):
The two most frequent certifications in the industry are CISSP from ISC2, and GIAC from The SANS Institute. Note: CISSP is Certified Information Systems Security Professional; ISC2 is the International Information Systems Security Certifications Consortium; GIAC is Global Information Assurance Certification; SANS is SysAdmin, Audit, Networking, Security.
The Information Systems Audit and Control Association has recently started its Certified Information Security Manager (CISM) certification. The "grandfather clause" means that many CISSPs will also be CISMs.
Gartner conducted a survey of information security professionals that compared CISSP and CISM. Respondents were asked questions such as:
Following are some of the more significant survey results:
Creating an Effective Security Awareness Program
Imperative: A set of information security policies is the key cornerstone of an effective IT risk management program. The information security policies are the basis for all other components of this program, and without them, the enterprise risks its financial viability.
An effective set of information security policies is the basis of risk assessments each enterprise should conduct. Policies must be communicated to all users of enterprise IT assets so that they understand their responsibility to protect the enterprise against information security breaches -- that is, they are as accountable for enterprise protection as the chief information security officer.
Users must be trained in the following areas (see Figure 2):
Measuring Information Security Expenditure Effectiveness
Strategic Planning Assumption: By 2005, 20 percent of the Global 2000 will have effectiveness assessment systems in place that will monitor the information security health of business transactions in real time (0.7 probability).
Many enterprises struggle with how much to spend on controls to mitigate the risk of an information security threat being exploited and how effective those controls are. Many are turning to metrics to help them evaluate the effectiveness of their information security program.
Gartner describes a variety of metrics, categorized using the information security total cost of ownership chart of accounts, that enterprises can implement to help them in this effort:
One can turn to numerous places for the raw data, including:
Action Item: Establish critical effectiveness metrics for each information security policy. Ensure audit logs are in place for all mission-critical applications and systems. Begin moving toward a centralized reporting facility for such log entries.
Information Security Metrics, Scorecards and Dashboards
Metrics, scorecards and "dashboards" are becoming a popular approach for informing all levels of management of the overall status of the information security program. The technical and operational groups as well as the strategic, planning, and management groups should have such dashboards to manage their own view of the information security risk management program (see Figure 3).
Multiple technical dashboards might be used for specific activities. The technical dashboards will feed into a strategic and management dashboard that measures the effectiveness of the information security risk management program and is used for security breach investigation purposes.
The use of a "traffic light" report, which documents the status of each metric, is a good visual tool. The categories to be tracked must be based on the enterprise's information security policies. The rating for each category must assess the business unit's compliance level against people, processes and tools.
Metrics, scorecards and dashboards are a multiyear effort. The first year (or first six months) establishes a baseline for each business unit's level of compliance with the information security risk management program. Subsequent releases enable an enterprise to track improvements and setbacks. That enables senior management to focus on "risk hot spots."
Action Item: Report semiannually to senior management on the information security risk management program.
Recommendations
Bei dem Text handelt es sich um einen Auszug aus einem Kapitel des neuen Berichts "Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture." Der Bericht gehört zum Angebot der neuen Gartner Executive Report Serie. Für weitere Informationen wenden Sie sich bitte an Gartner .