It is time to start combining expertise and change our way of thinking towards how to implement information security. We need start working on guidelines that help before the fact, instead of using standards and (new) law & legislation as tick lists to show compliance. Start creating ‘Information Security Management Systems’ (ISMS) as part of our core (existing) processes and business functions, instead of perceiving it as a stand-alone, siloed, add-on function, which lacks context.
Combining the right expertise results in a future proof organization that is more resilient against new information (and cyber) security threats. You realize this because you involve the right people to implement information security in context of your organization. Information security becomes business as usual. Complying with standards and (new) law & legislation is a positive by-product.
People Centric Information Security Management Framework
As mentioned in my earlier blogs, I want to position people and business needs as the primary subject to realize information security. For this I developed a framework to help organizations visualize the information security process. This is a necessity to create an ‘Information Security Management System’, in context of a specific organization. I call this the ‘People Centric Information Security Management Framework’ (PCISMF). The goal of this framework is to provide a structured approach to optimize the security process in relation to the other business processes, by involving the right people.
On a process level the framework looks like this:
In fact, this visualization of the PCISMF equals the information security process. By following this process, you set your business functions at the center for realizing Information Security in a step-by-step approach. These steps are:
1. Apply Information Governance
Apply information governance by assigning responsible persons to their systems to involve the right people. This is done by mapping the framework’s systems to their responsible persons. The framework consists of the following systems:
- organizational system (business owners),
- information system (functional owners), and
- technology system (operational owners).
By properly applying this framework, the functional and operational owners jointly create the (4) ‘technology system in context’ of the organization. I visualized this in the ‘High-level Information Governance Architecture’. This is what it looks like:
Explanation figure 2
The following outlines the defined responsibilities for the systems:
|Business Owners – Accountable Define/set the organization’s framework which consist of the goals and objectives and what is needed to achieve them (internal drivers) and the external factors (external drivers) they must consider. Business Owners should be C-level. They are accountable for the ① Organization System, and the interactions needed to accomplish the goals and objectives as defined/set within the internal drivers. They must be actively involved in setting and communicating their risk appetite, making sure that this is also intertwined within business functions. This creates the high-level business requirements for the ② Information System.
|Functional Owners – Responsible Translate the high-level business requirements as defined/set by the Business Owners in the ① Organization System to specific business functions (in their departments). They define which people are needed per business function and what information they need to process. This helps them define/create the ② Information System. The Information System is the total of all business functions, captured in information streams, of an organization. Functional Owners should be Heads of Departments. They will often delegate their responsibility to people that work for them. This is common sense, as it makes sense to involve people that are experts in specific fields. They are however still primarily responsible for the correct working of the business functions, making sure all people that report direct or indirect to them are aware and aligned about how to securely perform their work.
|Operational Owners – Responsible Translate and implement the high-level requirements for the ③ Technology System, as defined by the Functional Owners, within the applied Technologies. The result is that they create the ④ Technology System in Context. Operational Owners should be the head of the department responsible for either the technology environment or the information provisioning.
|Functional Owners & Operational Owners – Responsible A ④ Technology System in Context expresses the conditions necessary to work for a specific organization. They include (but are not restricted to) Information Technology (IT), Operational Technology (OT).
The next steps to realize the people centric Information Security Management System (ISMS) are:
2. Capture information streams and analyze impact
Ask Functional Owners to distil information streams from their business functions and analyze these information streams on business impact. What is the impact if they are unavailable, incorrect or fall into the wrong hands? Classify them based on the outcome.
3. Determine impact probability and establish controls for compliance
Subject information streams (starting with the ones with a high classification outcome) to a risk assessment. The outcome of the risk assessment indicates the probability the impact occurs. The higher the risk (= probability x impact) the better the business case to invest in controls to mitigate risk.
The more information streams you subject to a risk assessment, the more insight you get on your risk posture.
This leads to mitigating risk on high impact information streams and all objects around them. This results in better protection and, consequently, improvement of the quality of information streams. This means you improve the quality of your business functions and business processes. I want to emphasize that these insights extend beyond improving the security of your information streams; they also provide insight into how to overall improve the way the business functions produce them.
4. Instruct people and construct the technical environment
Make sure to instruct your people how you want them to process the information you captured within your information streams. This must be in line with the outcomes of the previous steps. Also, make sure to construct the (technical) resources in line with the outcomes of the previous steps. People shouldn’t be able to process information other than intended with these resources.
The Functional Owners need to discuss this with the Operational Owners. What do the Functional Owners require, and can the Operational Owners construct the used technology according to these requirements? When they together cannot come to an agreement, they should discuss the possibilities with the Business Owner, whom has the authority to take the final decision.
By following steps 1 to 4 the organization can capture its security requirements, which allows them to accordingly construct and create the information system in context of the organization.
5. Monitor and test the use and construct of the technical environment
The first four steps create context for use cases and impact scenarios. By applying security monitoring and perform penetration tests, it is possible to detect deviations/anomalies (incidents) to those use cases.
By applying penetration tests it is possible to detect ways to circumvent security measures. You use these to better develop, implement, configure, and maintain the security of the tested technology. This helps to better understand the relationship between deviations/anomalies (incidents) in context to the organization. This also helps to better understand what deviations/anomalies to look for, when monitoring the technical environment.
The security process is a continuous process with a feedback loop. You realize this by creating an overall overview. A central place where you aggregate and correlate events and merge them to interpretable information. This allows people in the Security Operating Center (SOC) to analyze what they see in a ‘single pane of glass’ (the dashboard) and respond to the incidents they discover. They also know where to start and whom to involve, because the organization established that information in the previous steps.
7. Process Optimization
By using the knowledge aggregated in the ‘Information Security Management Center’ (ISMC), organizations have a powerful method to (re)evaluate its security posture. The ISMC is a center that has a holistic view and can best steer the information security process. I will explain how to realize an ISMC and its content in a later blog. With the ISMC, organizations are better able to address cause, rather than symptoms, enabling the optimized protection of its business functions and increase value.
I realize that I have set the bar high, claiming to have created a framework that explains how to implement information security in context of an organization. I do stand by my claim. It isn’t an easy task to realize. If it were, there wouldn’t be so much ado around it. However, with the right mindset and the step-by-step approach, as described in the PCISMF, it is in fact possible. I use it every day, and it really helps me to get information security on track. It all starts with explaining how to come to the right conclusions. Explaining this takes time and needs to settle in.
This is why I decided to start this blog series to try and reach as many people as possible. Hopefully it will speed the explanation part up a bit.
Stay Tuned for Upcoming Blogs!
In my next blog I will deep dive into the first three steps of the PCISMF. I will also elaborate on the responsibility of the Chief Information Security Officer (CISO) regarding the information security process and the responsibility of the rest of the organization.
In later blogs I will deep dive into the remaining steps of the PCISMF. I will also put it into perspective of the rest of the organization: Which adjacent business functions, together with information security, create an Information Security Management Center (ISMC). A center with a holistic view that can best develop and steer the information security process.