Security Management Planning

To appropriately plan for security within an organization, managers must have a very good understanding of the mission of the organization and what critical information allows the accomplishment of the mission. This provides identifiable focal points for security architecture and a prioritized list of items to be protected. The senior management in the organization must endorse the entire planning process. Failure to obtain this endorsement will result in a plan that does not have the backing to be implemented or enforced.

Define the Mission and Determine Priorities

The management team that is responsible for defining the organizational security plan must understand the mission. For what purpose does the organization exist? What are our goals for conducting business? Once this is determined, the team can decide what information and data within the organization is critical to performing their mission. They need to find out what information types will be detrimental to the organization if they lose the confidentiality or integrityof the information.

Once the information categories within the company that have the greatest impact on the organization have been defined, they need to be prioritized. Some information categories, although very important, may not have as great an impact on the organization if they are lost for a period of time. This process produces a precise listing of the information assets in the organization based on their overall importance in the completion of the organizational mission.

The last step in this process is determining the systems that store, process, or transmit these various information types. Each information type may reside on a different system or there might be multiple information types on a single system. with the result is the prioritized listing of information types, the knowledge of where each one exists in the system. Having this information from the start of the process helps the team make decisions on what systems are most important to protect.

Determine the Risks and Threats to Priority Areas

The information types have been defined and so have the various systems that house that information. Having that information will allow the security administrator to determine potential threats to the systems and the information in them. Is the system a company server that sits in a publicly available address space? Does it have services running that have known vulnerabilities?

What threats actually exist to these systems? An organization needs to decide what threats they feel actually exist towards these systems. Are former employees considered a threat to systems they had been working with while employed? Hackers on the Internet might also pose a threat. Could there be competing organizations willing to risk legal action to get into those systems? Are everyday workers a threat to the system due to the chance of inadvertent manipulation or corruption of the data?

Create a Security Plan to Address Threats

A security plan needs to be drawn up by the members of the team that adequately addresses the concerns for the information assets in the organization. There are multiple steps in developing this plan. The steps are:

• Develop security policies

• Perform security assessment

• Propose security solutions

• Identify costs, benefits, and feasibility of solutions

• Finalize security plan based on priority of information assets

Develop Security Policies

The security policy is the foundation for security at an organization. It will specify how the organization views security, define security classifications, set expectations on the use of organizational systems by users, and give guidance for secure configurations. Everything in the organization related to information security is compared to the security policy to ensure compliance and focus. Incident response and disaster recovery are also included to define reaction to compromise or severe system outages.

Perform Security Assessments

A security assessment is used to measure the actual posture of the organization against what the security policy says it should be and against local or federal regulations. Security administrators are not out to audit the organization and hold individuals responsible. They are there to find the areas that do not yet comply with the requirements for security. There will likely be many areas that do not conform to requirements at the beginning of the process. But security is an ongoing process, not a one-time fix.

Identify Security Solutions

The next step is to find suitable solutions for each finding from the security assessment. There are several levels of solutions that can be made for each finding. The team making the recommendations needs to understand that proposing the best solution as the only solution may mean the finding never gets addressed. Financial constraints and operational constraints can impact the solutions that can actually be implemented.

Identify Costs, Benefits, and Feasibility

The list of proposed security solutions can sometimes be very long and deciding which ones to implement requires a cost to benefit analysis. All of the solutions recommended by the security team will likely provide benefit to the organization because they help address security concerns. The big question is the value of the asset being protected by the solution. If the solution costs more to implement and maintain than the assets value to the organization, it probably is not the right choice.

Financial restrictions also play a large role in the implementation of recommended security solutions. In order for a solution to be feasible it must conform to cost constraints from a budgetary perspective and also work well within the organization. Some solutions make sense to implement in some organizations where others do not fit the culture or the mission of the organization. These restrictions will help the team decide which of the proposed solutions are actually feasible.

Get Upper Management Buy-In

The final step is gaining the cooperation and understanding of the organization's upper management team. They must understand why security is important, what the risks to the organization are, what the threats are, what the vital assets are and how much they are worth to the organization, and how the security team wants to address these issues. Upper management approval is vital to the enforcement of the security policy as well. A security team with no management backing will find it difficult to get individuals and departments to conform. They might also find it difficult to get the financial backing for proposed solutions to the security concerns at the organization.

Getting upper management to buy in to the security process can be difficult. The Return on Investment (ROI) for security expenditures is usually an intangible variable that is hard to visualize. Security teams become responsible for demonstrating the value of security to management. Concepts such as executive liability are real concerns when it comes to security. Conformance to local or federal regulations is also a legitimate concern for an organization. There may also be methods for determining financial ROIs on the investment in security, but those numbers typically depend heavily on the value of resource time and revenue lost during down times.

Upper management is the key to a successful security program. They lead by example. They give the security team the ability to enforce security policies. Financial commitments for security will come easier from a management team that understands and agrees with the security plan. With management backing, the security process can succeed and progress.