Whether your company’s product is pencils or data management, you just can’t survive without an IT department these days. More important, that IT department is about more than keeping the printers connected. IT security experts have a responsibility to manage risk and ensure security across the network and the best way to keep ahead of danger is to create a process to be followed. Learning how to create a security management process, how to maintain it and make adjustments in response to access needs and ever-changing threats can make the difference between keeping your employer’s business running smoothly and being called in to explain why your company is now being used as a bad example in IT security training classes.
What Is Security Management Process?
A security management process can be defined as the process used to maintain and achieve the appropriate level of confidentiality, integrity and availability. It includes the following management functions:
Determining the security objectives, policies and strategies,
Determining security requirements,
Identifying and analyzing threats,
Identifying and analyzing risks,
Specifying appropriate safeguard,
Monitoring of implementation and operations of safeguards,
Developing and implementing security awareness program,
Incident detecting and reporting.
Security Process Data (Management and Operational Control)
The CISSP domains provide complete knowledge and understanding of almost every aspect of IT security. This course will not only help the tester to pass but it also gives a level of understanding necessary to pursue a career in security. It will help in carrying out day-to-day operations and will provide comprehensive guidelines for a professional career, as well.
Security process data is a topic included in the “Security Assessment and Testing” domain of CISSP. Security assessment and testing is the sixth domain of CISSP CBK. This domain covers not only the techniques to assess the security and vulnerability, but also elaborates on tools for such testing. Penetration testing and vulnerability assessment processes also fall under this domain. Certification topics in this domain are as follows:
Assessment and test strategies
Security process data (management and operational controls)
Security control testing
Security architectures vulnerabilities.
In this article, we will focus on security process data (management and operational controls). Security process data collection is tremendously important for an organization to ascertain that their security processes and its’ implementation are working as intended. This module deals with the following concepts:
Key performance indicator (KPI)
Training and awareness
Disaster recovery and business continuity
Account management is the process of reviewing users’ rights and privileges regularly. This data collection also includes verification of the account provisioning process, along with the verification of accounts’ privileges. Accounts should be processed through a comprehensive verification mechanism, including authorized sign-off from management and other assurance techniques.
De-provisioning of accounts should also pass through a process appropriately, based on the organization’s requirements. De-provisioning should include access removal in the case of an employee leaving the company, account adjustments in the case of designations change, and reviewing whether the access given to individuals is actually needed or not.
As the name suggests, this deals with the periodic review of the security processes by management. Security metrics must be reviewed by the organization management on a day-by-day basis. A meeting should be conducted that includes valuable information for risk handling. While presenting the details, it should be considered that the right amount of details is presented at appropriate level. This is important because personnel at appropriate levels should have all necessary information to make a decision. Leadership and management should be involved in re-designing and maintaining the security policies of the organization because there could be situations in which the current policies become outdated and ineffective. After reviewing such situations, management can make appropriate changes to the policies.
Key Performance and Risk Indicators
Key performance indicators are important in the sense that they allow an organization to focus its efforts. KPI is normally used to assess the success of an implementation and measure whether they are aligned to overall organization objectives or not. They are the most significant components to translate your needs into the simple management language. This includes indicators such as
Defect remediation window
Percentage of centralized logs collected
Security awareness training
Training and Awareness
Training and awareness play very important roles in security process data collection. In this regard, the most important aspect is associated metrics that can be collected. Two types of metrics can be collected for training and awareness efforts:
Adoption and completion rates
Both of these are briefly discussed below.
Adoption and completion rates
The first data collection contains the adoption and completion rates of the training and awareness programs. The factors can be the percentage of people completed the training program, how many people have actually read and signed off on the policies, and the status of the reinforcement methods that are used. A reinforcement campaigns can be something like hanging posters, performing a phishing campaign, etc.
CISSP Instant Pricing – InfoSec
The second aspect of training and awareness data collection is program effectiveness. As the name indicates, this involves the effectiveness of the program. The metrics include the percentage of some phishing links clicked, how many compromised systems and hosts are identified in your environment, and the employees’ awareness testing results.
Disaster Recovery and Business Continuity
The main concept behind disaster recovery and business continuity is to provide opportunities for review to make procedures and practices more effective and efficient. The disaster recovery and business continuity plans should be updated regularly on daily basis. Meetings can be conducted in case of special events affecting current implementation of disaster recovery and business continuity plans, such as a change of suppliers or vendors, re-designing infrastructure, changes in leadership, etc.
Backup Verification Data
Backups are crucial for a company’s data but verification of the backup and assurance that the data will be recovered in case of disaster is more crucial. Backups need to be tested to make sure that they are complete and that the systems that you use to recover your data are working as intended. Testing of the recovery systems are as important as backups. The type of verification data that can be collected includes the time it takes for data recovery, the amount of data, and its retention. This information will then be provided to leadership and can be used to make sure that the backup procedures and the backups themselves are accurate and according to the company policies and needs.
In this module, we have seen the benefits of key performance indicators to measure the progress you have made in the security efforts. This module also gives a very clear concept of management review that can benefit the awareness of security and its need at the highest level of the organization. The information gained from the security training and awareness program is very useful for everyone who is executing the awareness training program. It also provides you with a very comprehensive idea about account management and disaster recovery and business continuity data collection. And it shows how you can benefit from this data. Lastly, this module covers the factors that are involved in the verification of data backups and shows how you can make sure that the backups are in good shape with an accurate restoration and recovery process.