Information security strategy: have you decided how to move forward?
Hello! My name is Anton Udovichenko, I am the head of the audit department of Infosecurity. Based on my experience, I prepared instructions on how to develop an information security strategy in a company.
Developing an information security (IS) strategy for many companies seems to be a difficult task, both in terms of organizing the development process itself and the subsequent practical implementation of the strategy. Some companies claim that they can do without formal planning, without wasting time and energy on drawing up plans, justifying this with rapid changes in the market for technologies that negate all their efforts. Such an approach with effective action can lead to some success, but not only does not guarantee success in the future, but also puts it under serious doubt. Formal planning significantly reduces the risk of making the wrong decisions and serves as the basis for subsequent control, and also contributes to improving preparedness for market changes.
The need for an information security strategy, as a rule, arises from companies that already feel confident enough in the market to make plans for the years ahead, but are faced with the following challenges:
')
The development strategy of information security should be viewed as a certain map that defines landmarks and guides to the goal. It allows you to make goal achievement manageable by setting limits and priorities for making tactical decisions for those responsible for the development of the company and / or individual areas. It should be noted that the IS strategy should not be static and, as the uncertainty factor decreases over time, the strategy should be revised and, if necessary, adjusted to set new priorities for making tactical decisions.
Some people mistakenly believe that the information security strategy is needed only by those responsible for providing information security. In fact, there are much more users of an information security strategy and each has its own interest, the main ones are:
Company management:
Information Technology Service:
Information Security Service:
Before considering the main steps of developing a strategy, it is necessary to determine the criterion of the quality of the information security strategy and, accordingly, in order to develop it - to get full answers to three questions:
Stage 1. Preparation. To begin with, we will define the parameters and the order of project management.
Key tasks to be solved:
At this stage, in essence, you need to lay the key factors for success and the achievement of the desired results, namely:
The result of this stage should be:
Stage 2. Analysis of the current state of information security. The goal of the stage is to collect and analyze the procedure and methods for processing information from the point of view of information security, the current state of providing information security.
Key questions to be answered:
Establishing the role of information security in a company sets the overall context for developing a strategy and is carried out at all levels: management, department heads, employees.
Information is collected in the following areas:
The next step is to identify the requirements that the company must follow or on which it voluntarily decided to focus. Requirements are, in fact, the basis of the functioning of information security, these include: legislation, industry standards, national and international information security standards, group policy, etc.
The step of examining and analyzing information security processes is key, largely determining the outcome of the entire project. Its complexity lies in the need to obtain reliable and objective information sufficient to form the future IS profile, as a rule, for a very limited time. Three conceptual approaches can be distinguished: basic, detailed, and combined (expert).
Basic approach
The approach involves analyzing the state of the IS for compliance with a certain basic level of security. The base level is a typical set of protective measures, as a rule, characteristic for companies operating in one area to protect all or individual information systems. A typical set of protective measures is formed, based on the needs of companies, to use some standard measures, for example, to comply with legal requirements, as well as to protect against the most common threats.
The basic approach allows to manage the minimum amount of resources during the analysis, it can even be implemented in the form of checklists with questions regarding the availability of certain measures and parameters for their implementation. A significant disadvantage of this approach lies in the inaccuracy and limitations of the information collected, since the base level cannot always correspond to the criticality of the information being processed, to the specifics of its information systems and business processes. Individual systems of the company may be characterized by varying degrees of sensitivity, different volumes and value of information, the use in this case of general measures of protection would be logically incorrect.
Detailed approach
A detailed approach involves a comprehensive survey of information processing and information security companies. Such an approach includes identification and assessment of information assets, assessment of the risks of information security breaches, assessment of the maturity of information security processes, analysis of incident statistics, analysis of public reviews, and reports of regulators.
The results of the detailed analysis allow for a well-reasoned choice of protective measures in the formation of the future IS profile, but the implementation of this approach requires a significant amount of funds, time and skilled labor. In addition, there is some possibility of obsolescence of the results during the survey, since this approach may take a considerable time.
Combined (expert) approach
The use of each of the approaches described above has significant limitations and does not always allow collecting sufficient information in a reasonable time to reasonably develop an information security strategy and build a portfolio of projects. Therefore, in practice, various combinations of these approaches are used, including both formal methods of analysis and practical experience of specialists. As a rule, this approach is based on a preliminary analysis for high-level risk assessment of information security breaches, taking into account the criticality of (confidential) information, information flows, the importance of information systems. In the future, for information systems at high risk, a detailed analysis is carried out; for others, it may be limited to a basic approach. In addition, a detailed analysis and description of key IS processes, as well as an assessment of the means used and methods for protecting information, their advantages and disadvantages, are carried out.
This approach allows, with a minimum of time and effort spent on identifying the current state, to obtain the necessary data for the formation of a future IS profile. It is worth noting that the objectivity and quality of the survey results in this approach will be determined by the quality of the survey methodology and the experience of its use by specialists.
In addition, it should be said that the choice of survey methods and the degree of employee involvement will be determined by the approach used and the survey methodology. For example, a basic approach may be limited to analyzing internal documents and questioning with a certain number of interviews of key employees, while the other two approaches involve more employees and a wider set of tools:
Upon completion of this stage, regardless of the chosen approach, we can expect:
Stage 3. Development of the target IS profile. At this stage, the following key tasks:
One of the main obstacles in developing an information security strategy in terms of managing the expectations that top management has is the lack of clear initial conditions, namely, the company's development strategy with a clear description of all aspects in understandable terms. In practice, there is, as a rule, either the absence of the company's development strategy as such, or it is not formalized and, at best, can be formulated in words.
The problem of the lack of a company's development strategy is solved by the joint efforts of business, IT and information security representatives in developing a common vision of information security tasks, taking into account the following factors:
Answers to these questions can help formulate the goals of providing information security in the company. In turn, it should be borne in mind that for each initiative or proposed action, possible or desired results, the risks of their implementation, as well as the risks in case of failure to implement should be evaluated.
The basic principles of an information security strategy, in fact, determine a set of global rules that should be followed when building it, as well as when choosing and implementing solutions. Principles are formulated depending on strategic objectives, company processes, investment opportunities, etc., therefore, as a rule, they are individual for a company. Let us highlight some universal principles:
Forming a future IS profile is a solution to several partially contradictory tasks:
There are many standards, both international (ISO, COBIT, NIST, etc.), and Russian (STO BR, GOST, etc.) that can be adopted in the formation of the future IS profile. However, it is important to remember here that no single standard can be fully applicable to all companies. Therefore, you should not develop a strategy, relying solely on any one standard or do everything for a carbon copy. All components of the process of ensuring information security ultimately organically fit into the logic of business development: on the one hand, they should not restrain development too much, on the other hand, they should keep the risks within specified limits.
An important issue that also needs to be addressed as part of the IS strategy is the number and qualification of personnel, which is necessary to ensure the fulfillment of basic functions. At least, the simplest model of competencies should be developed, which, in addition to official duties, will determine the organizational and industry knowledge and skills necessary for personnel. When developing an information security strategy, it is better to offer only those solutions that will subsequently require the company's accessible competencies, or at least those that can be obtained with a minimum of effort.
Another issue worth paying attention to is outsourcing. It can be a good tool to accelerate the implementation of many functions of information security, as well as provide their operational support. , , , , , . .
:
4. . . , , .
: -, -, . IT/ - , , , , , . , . . : , -, . :
, . . , , :
, — , ? . , , , . , -. , .
:
, , .
.
« », , . , , — , «». , , .
.
- — , , () . , . , , .
.
, , , . , , .
.
, . , , .
, , . , .
, , . , , . , , — .
Developing an information security (IS) strategy for many companies seems to be a difficult task, both in terms of organizing the development process itself and the subsequent practical implementation of the strategy. Some companies claim that they can do without formal planning, without wasting time and energy on drawing up plans, justifying this with rapid changes in the market for technologies that negate all their efforts. Such an approach with effective action can lead to some success, but not only does not guarantee success in the future, but also puts it under serious doubt. Formal planning significantly reduces the risk of making the wrong decisions and serves as the basis for subsequent control, and also contributes to improving preparedness for market changes.
The need for an information security strategy, as a rule, arises from companies that already feel confident enough in the market to make plans for the years ahead, but are faced with the following challenges:
')
- lack of interconnection between the strategic goals of the company and the development of information security;
- insufficient information security of key business processes of the company;
- low return on investment in the development of information security.
The development strategy of information security should be viewed as a certain map that defines landmarks and guides to the goal. It allows you to make goal achievement manageable by setting limits and priorities for making tactical decisions for those responsible for the development of the company and / or individual areas. It should be noted that the IS strategy should not be static and, as the uncertainty factor decreases over time, the strategy should be revised and, if necessary, adjusted to set new priorities for making tactical decisions.
For whom is the IB strategy of interest?
Some people mistakenly believe that the information security strategy is needed only by those responsible for providing information security. In fact, there are much more users of an information security strategy and each has its own interest, the main ones are:
Company management:
- understanding of the role of information security in the implementation of the overall concept of the company;
- ensuring consistency with the development strategy of the entire company;
- understanding of the goals and volume of investments in information security;
- rational distribution of investments;
- tools to monitor the achievement of goals.
Information Technology Service:
- understanding the role of information security in the development of an IT company;
- understanding of IS requirements for the target IT architecture.
Information Security Service:
- availability of common principles of information security development;
- Understanding of the company's information security architecture;
- availability of a detailed action plan (project portfolio);
- clear understanding of the required resources;
- compliance with legislation and industry standards in terms of ensuring information security;
- tools to control the achievement of information security objectives.
The procedure for developing an information security strategy
Before considering the main steps of developing a strategy, it is necessary to determine the criterion of the quality of the information security strategy and, accordingly, in order to develop it - to get full answers to three questions:
- What are the strategic goals of the development of information security, how do these goals correlate with the strategic goals of the company?
- What is the future profile of the company?
- What actions need to be taken to achieve the strategic goals of developing information security?
Stage 1. Preparation. To begin with, we will define the parameters and the order of project management.
Key tasks to be solved:
- creating a project team and setting goals;
- coordination of the structure of the collected data and adaptation of templates;
- coordination of project boundaries, structure and content of reporting documents;
- coordination of the project management process
- determination of the procedure for solving problems;
- preparation and coordination of the work plan.
At this stage, in essence, you need to lay the key factors for success and the achievement of the desired results, namely:
- The involvement of management in the project: the development and implementation of an information security strategy, first of all, should be supported by the company's management, which should be responsible for tracking the work, allocating the necessary resources, as well as subsequent approval of the developed strategy.
- Formation of the project team: its composition should include the most competent staff and remain unchanged throughout the project. The project includes the following organizational units:
- curator of the project by the Contractor;
- curator of the project by the Customer;
- Steering Committee;
- project manager by the Contractor;
- the head of the working group on the part of the Customer;
- Contractor’s project team;
- functional specialists from the Customer.
- curator of the project by the Contractor;
- A clear formulation of goals, requirements, restrictions, as well as criteria for the success of the project, which will strictly adhere to the right direction and meet the expectations of the Customer.
- Developing a project management procedure: communication and decision-making processes ensure the interconnection and interdependence of all managerial functions, thus achieving the integrity and efficiency of the managerial process. The procedure should provide for the distribution of powers and responsibilities, the order of interaction of participants, the procedure for agreeing on intermediate and final results, the procedure for managing problems and making changes to the project.
The result of this stage should be:
- project charter, work schedule, schedule of necessary interviews;
- structure of reporting documents and templates for data collected / reporting documents.
Stage 2. Analysis of the current state of information security. The goal of the stage is to collect and analyze the procedure and methods for processing information from the point of view of information security, the current state of providing information security.
Key questions to be answered:
- What is the role of IB in the company?
- What requirements form the basis of the company's information security?
- What is the current state of the IS processes?
- What information protection tools are used, their pros and cons?
- What are the requirements of the business to ensure information security?
Establishing the role of information security in a company sets the overall context for developing a strategy and is carried out at all levels: management, department heads, employees.
Information is collected in the following areas:
- the level of culture of information security in the company;
- priority of IB in relation to business processes;
- the impact of IS on the company's business processes;
- management's awareness of the need to ensure information security;
- degree of involvement and awareness of information security officers.
The next step is to identify the requirements that the company must follow or on which it voluntarily decided to focus. Requirements are, in fact, the basis of the functioning of information security, these include: legislation, industry standards, national and international information security standards, group policy, etc.
The step of examining and analyzing information security processes is key, largely determining the outcome of the entire project. Its complexity lies in the need to obtain reliable and objective information sufficient to form the future IS profile, as a rule, for a very limited time. Three conceptual approaches can be distinguished: basic, detailed, and combined (expert).
Basic approach
The approach involves analyzing the state of the IS for compliance with a certain basic level of security. The base level is a typical set of protective measures, as a rule, characteristic for companies operating in one area to protect all or individual information systems. A typical set of protective measures is formed, based on the needs of companies, to use some standard measures, for example, to comply with legal requirements, as well as to protect against the most common threats.
The basic approach allows to manage the minimum amount of resources during the analysis, it can even be implemented in the form of checklists with questions regarding the availability of certain measures and parameters for their implementation. A significant disadvantage of this approach lies in the inaccuracy and limitations of the information collected, since the base level cannot always correspond to the criticality of the information being processed, to the specifics of its information systems and business processes. Individual systems of the company may be characterized by varying degrees of sensitivity, different volumes and value of information, the use in this case of general measures of protection would be logically incorrect.
Detailed approach
A detailed approach involves a comprehensive survey of information processing and information security companies. Such an approach includes identification and assessment of information assets, assessment of the risks of information security breaches, assessment of the maturity of information security processes, analysis of incident statistics, analysis of public reviews, and reports of regulators.
The results of the detailed analysis allow for a well-reasoned choice of protective measures in the formation of the future IS profile, but the implementation of this approach requires a significant amount of funds, time and skilled labor. In addition, there is some possibility of obsolescence of the results during the survey, since this approach may take a considerable time.
Combined (expert) approach
The use of each of the approaches described above has significant limitations and does not always allow collecting sufficient information in a reasonable time to reasonably develop an information security strategy and build a portfolio of projects. Therefore, in practice, various combinations of these approaches are used, including both formal methods of analysis and practical experience of specialists. As a rule, this approach is based on a preliminary analysis for high-level risk assessment of information security breaches, taking into account the criticality of (confidential) information, information flows, the importance of information systems. In the future, for information systems at high risk, a detailed analysis is carried out; for others, it may be limited to a basic approach. In addition, a detailed analysis and description of key IS processes, as well as an assessment of the means used and methods for protecting information, their advantages and disadvantages, are carried out.
This approach allows, with a minimum of time and effort spent on identifying the current state, to obtain the necessary data for the formation of a future IS profile. It is worth noting that the objectivity and quality of the survey results in this approach will be determined by the quality of the survey methodology and the experience of its use by specialists.
In addition, it should be said that the choice of survey methods and the degree of employee involvement will be determined by the approach used and the survey methodology. For example, a basic approach may be limited to analyzing internal documents and questioning with a certain number of interviews of key employees, while the other two approaches involve more employees and a wider set of tools:
- analysis of internal documents;
- questioning;
- interviewing;
- visual inspection;
- survey using specialized technical means.
Upon completion of this stage, regardless of the chosen approach, we can expect:
- expert opinion on the level of the company's information security;
- integral assessment of the current state of information security;
- description of business requirements for information security;
- report and presentation on the results of the stage.
Stage 3. Development of the target IS profile. At this stage, the following key tasks:
- ensuring the relationship between the strategic objectives of the company and the development of information security;
- formulation of basic principles of an information security strategy;
- definition of the future profile of the information security company.
One of the main obstacles in developing an information security strategy in terms of managing the expectations that top management has is the lack of clear initial conditions, namely, the company's development strategy with a clear description of all aspects in understandable terms. In practice, there is, as a rule, either the absence of the company's development strategy as such, or it is not formalized and, at best, can be formulated in words.
The problem of the lack of a company's development strategy is solved by the joint efforts of business, IT and information security representatives in developing a common vision of information security tasks, taking into account the following factors:
- what initiatives are planned for the company, including organizational changes, market and technology development;
- what changes are planned in the business and IT processes;
- which important decisions depend on the reliability, integrity or availability of information, or on its timely receipt;
- what types of confidential information require protection;
- what consequences may occur for the company after the occurrence of an information security incident;
- what changes in the external environment can be expected, including the actions of competitors, changes in legislation, etc.
Answers to these questions can help formulate the goals of providing information security in the company. In turn, it should be borne in mind that for each initiative or proposed action, possible or desired results, the risks of their implementation, as well as the risks in case of failure to implement should be evaluated.
The basic principles of an information security strategy, in fact, determine a set of global rules that should be followed when building it, as well as when choosing and implementing solutions. Principles are formulated depending on strategic objectives, company processes, investment opportunities, etc., therefore, as a rule, they are individual for a company. Let us highlight some universal principles:
- IS integrity: applicable software and hardware solutions, as well as organizational measures should be mutually consistent and provide a given level of security;
- standardization and unification: the diversity of the applied technologies should be reduced to a minimum in order to reduce the costs of maintaining expertise and decisions, for their coordination and integration, licensing and maintenance;
- ease of use: the methods and means of ensuring information security should not lead to an increase in the number of erroneous actions of personnel, and this principle does not mean simplicity of architecture or reduced functionality;
- minimum privileges: the essence of the principle is to allocate the smallest rights, which should not lead to a violation of the work performed by the user;
- economic efficiency: applied solutions should strive to reduce the total cost of ownership, increase the return on investment and optimize other indicators for assessing the economic efficiency of investments.
Forming a future IS profile is a solution to several partially contradictory tasks:
- fulfill the requirements for information security (laws, regulators, manufacturers, partners, etc.);
- reduce the risks of infringement of information security to a minimum;
- ensure compliance with business objectives taking into account the anticipated changes in business and IT processes;
- ensure the investment attractiveness of information security.
There are many standards, both international (ISO, COBIT, NIST, etc.), and Russian (STO BR, GOST, etc.) that can be adopted in the formation of the future IS profile. However, it is important to remember here that no single standard can be fully applicable to all companies. Therefore, you should not develop a strategy, relying solely on any one standard or do everything for a carbon copy. All components of the process of ensuring information security ultimately organically fit into the logic of business development: on the one hand, they should not restrain development too much, on the other hand, they should keep the risks within specified limits.
An important issue that also needs to be addressed as part of the IS strategy is the number and qualification of personnel, which is necessary to ensure the fulfillment of basic functions. At least, the simplest model of competencies should be developed, which, in addition to official duties, will determine the organizational and industry knowledge and skills necessary for personnel. When developing an information security strategy, it is better to offer only those solutions that will subsequently require the company's accessible competencies, or at least those that can be obtained with a minimum of effort.
Another issue worth paying attention to is outsourcing. It can be a good tool to accelerate the implementation of many functions of information security, as well as provide their operational support. , , , , , . .
:
- , ;
- ;
- ;
- .
4. . . , , .
: -, -, . IT/ - , , , , , . , . . : , -, . :
- ;
- ;
- ;
- .
, . . , , :
- ;
- .
, — , ? . , , , . , -. , .
:
- ;
- « » ;
- ;
- ;
- .
, , .
.
« », , . , , — , «». , , .
.
- — , , () . , . , , .
.
, , , . , , .
.
, . , , .
, , . , .
Conclusion
, , . , , . , , — .
Source: https://habr.com/ru/post/441920/
All Articles