People Centric Information Security – Part VI

In my last blog, I explained the first three steps of the information security process:

In this part, I will explain how to translate these to the actual operations of an organization and how these steps help optimize business processes; the next four steps of the information security process.

The answers to the questions in my previous blog will also result in input for the next steps in the process:

The Instruction of People

It is necessary to take the input from the first three steps and use them to explain to the people how they are expected to process information. To realize this the following aspects become important to manage:

1. Work instructions – describing how the organization expects its people to process information to best realize the progress of business processes.
2. Awareness campaigns – training people to become more resilient against unsafe situations by teaching them how to recognize these situations and how to respond to them. Tailoring awareness campaigns to target audiences achieves the best possible results.
3. User Groups – for optimal adoption, it is important to establish work methods together with the people who actually do the work.

This is step you also need to address the balance between workability and security. When skipped, you can implement as many security measures you want, without any of them offering any security at all. We must keep in mind that people are the primary subject through which we achieve information security. Get them on par. Understand how they act. Try to positively influence their behavior by training them on recognizing unsafe situations. Involve them in establishing the best way to do their job (in a secure manner). People should want to do their job in the way that is safe for the organization. Imposing new (security) procedures on them will lead to work arounds, shadow-IT, and an overall false sense of security.

The Construction of the Technical Environment

Now it is necessary to take the input of all previous steps and translate them to construct the technical environment. This is where cyber security starts. I want to emphasize on this, because in my experience this is where many organizations think information security starts. And that, simply put, must change. Information security doesn’t start with technology, it starts by applying information governance. We need to ‘shift left’!

The technical environment (Information Technology (IT), Operational Technology (OT), Internet of Things (IoT), et cetera), has to process information according to the requirements of information owners. It should not be possible to differently process information via technology, other than required by the owners of the information.

So, the construction of the technical environments must align with the outcomes of the first three steps of the information security process. And it must align with how the organization instructs its people to act. With construction I mean the following aspects regarding (new and existing) technology:

1. Development – apply Software Development Lifecycle (SDLC) / DevSecOps to integrate security requirements.
2. Implementation – make sure security requirements are part of the implementation plan/project.
3. Configuration – make sure (adjustments to) configuration stays in line with security requirements.
4. Maintenance – make sure maintenance doesn’t negatively affect security requirements.
5. Related technical controls – have controls in place to technically adhere to security requirements.
6. Additional technical security measures – make sure to safeguard confidentiality, integrity and availability by adding specific technical security measures, in line with security requirements.

Monitor and Test

It is important to check the correct use and construct of the technical environment. Al previous steps create ‘Use Cases’ and ‘Impact Scenarios’; input for the organization to monitor and test the technical environment. Monitoring and testing are part of cyber security.

Of course, you can also read quality monitoring and quality testing here, with information security as a cornerstone for of quality. But I’m drifting of subject and must keep my eye on the ball here.

Dashboard – Responding to anomalies/deviations

The outcome of the monitoring and testing activities need to be reported and validated, preferably in a dashboard that provides a ‘single pane of glass’[1] insight on the organization’s security posture.

The validations are:

√ The anomaly/deviation is known and acceptable. It may proceed.

X The anomaly/deviation is known and unacceptable. It must stop.

? The anomaly/deviation is unknown. It needs further research to understand if it may proceed or not.

Process optimization

The information security process is a continuous process. Having information governance in place, allows the responsible people to steer on the detected anomalies/deviations. Based on their ‘risk appetite’ responsible people can also decide to (temporary) accept a deviation.

I distinguish three types of responsible people:

• Business owners – Accountable for setting the organizations’ goals and objectives and under what conditions achievement is acceptable.
• Functional owners – Responsible to let the people they manage process information in line with set conditions, to achieve the organizations’ goals and objectives.
• Operational owners – Responsible to let the resources they manage work in line with set conditions, letting the people that use these resources achieve the organizations’ goals and objectives.

The owners need to work together to optimize processes. I will elaborate on this in future blogs.

In its optima forma the information security process will realize optimization of business processes (high quality).

Concluding

Information owners create input for information security. Cyber security is always part of information security. The first steps in the information security process define security requirements. These requirements are necessary to:

• instruct people how to safely process information in relation to their job.
• construct, monitor, and test the technical environment that supports people to process information.
• manage deviations/anomalies.

The better the instruction of people and the better the construction of the technical environment, the better organizations realize process optimization and achieve goals and objectives.

Upcoming Blogs!

In my next blog I will zoom in on the Information Security Management Center (ISMC). A center that has all knowledge, skills, and expertise available to create and manage the information security process.

In later blogs I will zoom in on how to perceive information security within an organization and where the ISMC resides in relation to information security. In later blogs I will deep dive into the individual steps of the information security process and explain how I’ve used them in practice. I use this as my ‘information security management framework’; a framework that implements the information security process in such a way that it aligns with the context each specific organization.

Footnote

[1] A unified single view of all deviations/anomalies combined, making it possible for analysts to draw conclusions from them.