⬆️ ⬇️

Information security strategy: have you decided how to move forward?

Hello! My name is Anton Udovichenko, I am the head of the audit department of Infosecurity. Based on my experience, I prepared instructions on how to develop an information security strategy in a company.





Developing an information security (IS) strategy for many companies seems to be a difficult task, both in terms of organizing the development process itself and the subsequent practical implementation of the strategy. Some companies claim that they can do without formal planning, without wasting time and energy on drawing up plans, justifying this with rapid changes in the market for technologies that negate all their efforts. Such an approach with effective action can lead to some success, but not only does not guarantee success in the future, but also puts it under serious doubt. Formal planning significantly reduces the risk of making the wrong decisions and serves as the basis for subsequent control, and also contributes to improving preparedness for market changes.



The need for an information security strategy, as a rule, arises from companies that already feel confident enough in the market to make plans for the years ahead, but are faced with the following challenges:

')



The development strategy of information security should be viewed as a certain map that defines landmarks and guides to the goal. It allows you to make goal achievement manageable by setting limits and priorities for making tactical decisions for those responsible for the development of the company and / or individual areas. It should be noted that the IS strategy should not be static and, as the uncertainty factor decreases over time, the strategy should be revised and, if necessary, adjusted to set new priorities for making tactical decisions.



For whom is the IB strategy of interest?



Some people mistakenly believe that the information security strategy is needed only by those responsible for providing information security. In fact, there are much more users of an information security strategy and each has its own interest, the main ones are:



Company management:





Information Technology Service:





Information Security Service:





The procedure for developing an information security strategy



Before considering the main steps of developing a strategy, it is necessary to determine the criterion of the quality of the information security strategy and, accordingly, in order to develop it - to get full answers to three questions:





Stage 1. Preparation. To begin with, we will define the parameters and the order of project management.



Key tasks to be solved:





At this stage, in essence, you need to lay the key factors for success and the achievement of the desired results, namely:



  1. The involvement of management in the project: the development and implementation of an information security strategy, first of all, should be supported by the company's management, which should be responsible for tracking the work, allocating the necessary resources, as well as subsequent approval of the developed strategy.

  2. Formation of the project team: its composition should include the most competent staff and remain unchanged throughout the project. The project includes the following organizational units:

    • curator of the project by the Contractor;

    • curator of the project by the Customer;

    • Steering Committee;

    • project manager by the Contractor;

    • the head of the working group on the part of the Customer;

    • Contractor’s project team;

    • functional specialists from the Customer.



  3. A clear formulation of goals, requirements, restrictions, as well as criteria for the success of the project, which will strictly adhere to the right direction and meet the expectations of the Customer.

  4. Developing a project management procedure: communication and decision-making processes ensure the interconnection and interdependence of all managerial functions, thus achieving the integrity and efficiency of the managerial process. The procedure should provide for the distribution of powers and responsibilities, the order of interaction of participants, the procedure for agreeing on intermediate and final results, the procedure for managing problems and making changes to the project.



The result of this stage should be:





Stage 2. Analysis of the current state of information security. The goal of the stage is to collect and analyze the procedure and methods for processing information from the point of view of information security, the current state of providing information security.



Key questions to be answered:





Establishing the role of information security in a company sets the overall context for developing a strategy and is carried out at all levels: management, department heads, employees.



Information is collected in the following areas:





The next step is to identify the requirements that the company must follow or on which it voluntarily decided to focus. Requirements are, in fact, the basis of the functioning of information security, these include: legislation, industry standards, national and international information security standards, group policy, etc.



The step of examining and analyzing information security processes is key, largely determining the outcome of the entire project. Its complexity lies in the need to obtain reliable and objective information sufficient to form the future IS profile, as a rule, for a very limited time. Three conceptual approaches can be distinguished: basic, detailed, and combined (expert).



Basic approach



The approach involves analyzing the state of the IS for compliance with a certain basic level of security. The base level is a typical set of protective measures, as a rule, characteristic for companies operating in one area to protect all or individual information systems. A typical set of protective measures is formed, based on the needs of companies, to use some standard measures, for example, to comply with legal requirements, as well as to protect against the most common threats.



The basic approach allows to manage the minimum amount of resources during the analysis, it can even be implemented in the form of checklists with questions regarding the availability of certain measures and parameters for their implementation. A significant disadvantage of this approach lies in the inaccuracy and limitations of the information collected, since the base level cannot always correspond to the criticality of the information being processed, to the specifics of its information systems and business processes. Individual systems of the company may be characterized by varying degrees of sensitivity, different volumes and value of information, the use in this case of general measures of protection would be logically incorrect.



Detailed approach



A detailed approach involves a comprehensive survey of information processing and information security companies. Such an approach includes identification and assessment of information assets, assessment of the risks of information security breaches, assessment of the maturity of information security processes, analysis of incident statistics, analysis of public reviews, and reports of regulators.



The results of the detailed analysis allow for a well-reasoned choice of protective measures in the formation of the future IS profile, but the implementation of this approach requires a significant amount of funds, time and skilled labor. In addition, there is some possibility of obsolescence of the results during the survey, since this approach may take a considerable time.



Combined (expert) approach



The use of each of the approaches described above has significant limitations and does not always allow collecting sufficient information in a reasonable time to reasonably develop an information security strategy and build a portfolio of projects. Therefore, in practice, various combinations of these approaches are used, including both formal methods of analysis and practical experience of specialists. As a rule, this approach is based on a preliminary analysis for high-level risk assessment of information security breaches, taking into account the criticality of (confidential) information, information flows, the importance of information systems. In the future, for information systems at high risk, a detailed analysis is carried out; for others, it may be limited to a basic approach. In addition, a detailed analysis and description of key IS processes, as well as an assessment of the means used and methods for protecting information, their advantages and disadvantages, are carried out.



This approach allows, with a minimum of time and effort spent on identifying the current state, to obtain the necessary data for the formation of a future IS profile. It is worth noting that the objectivity and quality of the survey results in this approach will be determined by the quality of the survey methodology and the experience of its use by specialists.



In addition, it should be said that the choice of survey methods and the degree of employee involvement will be determined by the approach used and the survey methodology. For example, a basic approach may be limited to analyzing internal documents and questioning with a certain number of interviews of key employees, while the other two approaches involve more employees and a wider set of tools:





Upon completion of this stage, regardless of the chosen approach, we can expect:





Stage 3. Development of the target IS profile. At this stage, the following key tasks:





One of the main obstacles in developing an information security strategy in terms of managing the expectations that top management has is the lack of clear initial conditions, namely, the company's development strategy with a clear description of all aspects in understandable terms. In practice, there is, as a rule, either the absence of the company's development strategy as such, or it is not formalized and, at best, can be formulated in words.



The problem of the lack of a company's development strategy is solved by the joint efforts of business, IT and information security representatives in developing a common vision of information security tasks, taking into account the following factors:





Answers to these questions can help formulate the goals of providing information security in the company. In turn, it should be borne in mind that for each initiative or proposed action, possible or desired results, the risks of their implementation, as well as the risks in case of failure to implement should be evaluated.



The basic principles of an information security strategy, in fact, determine a set of global rules that should be followed when building it, as well as when choosing and implementing solutions. Principles are formulated depending on strategic objectives, company processes, investment opportunities, etc., therefore, as a rule, they are individual for a company. Let us highlight some universal principles:





Forming a future IS profile is a solution to several partially contradictory tasks:





There are many standards, both international (ISO, COBIT, NIST, etc.), and Russian (STO BR, GOST, etc.) that can be adopted in the formation of the future IS profile. However, it is important to remember here that no single standard can be fully applicable to all companies. Therefore, you should not develop a strategy, relying solely on any one standard or do everything for a carbon copy. All components of the process of ensuring information security ultimately organically fit into the logic of business development: on the one hand, they should not restrain development too much, on the other hand, they should keep the risks within specified limits.



An important issue that also needs to be addressed as part of the IS strategy is the number and qualification of personnel, which is necessary to ensure the fulfillment of basic functions. At least, the simplest model of competencies should be developed, which, in addition to official duties, will determine the organizational and industry knowledge and skills necessary for personnel. When developing an information security strategy, it is better to offer only those solutions that will subsequently require the company's accessible competencies, or at least those that can be obtained with a minimum of effort.



Another issue worth paying attention to is outsourcing. It can be a good tool to accelerate the implementation of many functions of information security, as well as provide their operational support. , , , , , . .



:





4. . . , , .



: -, -, . IT/ - , , , , , . , . . : , -, . :





, . . , , :





, — , ? . , , , . , -. , .



:











, , .



.



« », , . , , — , «». , , .



.



- — , , () . , . , , .



.



, , , . , , .



.



, . , , .



, , . , .



Conclusion



, , . , , . , , — .

Source: https://habr.com/ru/post/441920/



All Articles