Feb. 14, 2011
It’s important to take a “holistic” or systemic approach to information security. To do so, we need to understand each piece (resource) required by the program is key or vital in its own right—and when combined, these pieces enhance and strengthen each other. Additionally, a weakness in one area can create weaknesses in other areas.
Read the whole “Information Security Simplified” series
Part 1, Setting goals and objectives for your program
Part 2, Choosing a framework—or the best of several
Part 4, Putting your program in writing
Part 5, Moving from where you are to where you want to be
Part 6, Training some staffers, educating others
Part 7, Measuring your program
We are going to group “things” you’ll need for your robust information security program into four categories:
organizational design and strategy,
Organizational Design & Strategy
In part 2 we discussed many of the items falling into organizational design and strategy—in particular, we considered how to create an information security strategy. For organizational design, we are not talking about the technical infrastructure (LAN/WAN, firewalls, routers, etc.) of your network. Instead, organizational design considers how well your credit union is organized to protect its information assets and respond to information security incidents. Are roles and responsibilities for information security clearly explained and understood by all employees? Do people know what is expected of them and who to contact in the event of a security incident? If the person they would normally contact is unavailable, do they know whom to contact instead?
People, both those employed inside the organization and those connected externally (members, vendors, regulators, consultants, etc.), are important players in how information security design, strategy, processes and technology are envisioned and realized in the credit union.
Internally, the credit union’s human resource policies and practices regarding hiring, employment and termination play a large role in how information security is implemented. For example, when hiring employees, does the credit union verify application information, conduct background checks, and explain information security expectations? Throughout the employee’s time at the credit union, is awareness training and education on information security provided? When employees leave the credit union, is access to information systems quickly removed? Outside the credit union, it is important to consider interactions and connections with members, vendors, regulators, contractors and others. Does the credit union promote information security awareness to its members? Are credit union information security policies and practices explained and acknowledged by third-party employees working at the credit union? Do contracts or agreements with vendors include information security items/clauses?
The credit union’s processes are how it gets things done.
According to ISACA’s The Business Model for Information Security:
“Processes are created to help organizations achieve their strategy. They are the structured activities that are created to achieve a particular outcome through individual or a series of consistently applied tasks. The process element of a CU’s information security program explains practices and procedures as people and the organization want them accomplished. Process is a fundamental element that symbolizes the requirements for an enterprise to develop, promulgate, educate and enforce security practices and procedures in an ongoing fashion.”
Not mentioned in the above definition is the idea that processes at your credit union may be formal or informal. In most cases, proper security considerations are included in formal processes. On the other hand, informal processes are often implemented to bypass security “hassles.” Looking at your processes, it is important to consider not just how you expect work to be done, but also how it actually is done.
Just as you regularly examine and evaluate your strategy and people, you need to examine your processes regularly. With your processes, you need to evaluate risks and controls when the processes are implemented and regularly throughout their lifecycle. In some cases, related risks may increase, and you need to increase the security controls for/in a process. In other cases, the risks may decrease, and security related controls can be lessened. Also consider whether the process continues to support the credit union’s goals, objectives and strategies. And is the importance of following the process guidelines (and security controls) imparted to employees?
Technology resources include the hardware, software, and network infrastructure used at your credit union. As with other resources, the risks associated with technology are dynamic—and may change even more quickly. In many cases, technology is looked at or implemented as “the solution” to information security issues or weaknesses. While technology can strengthen your information security program and mitigate risks, implementing technology alone, without considering your other resources and their strengths and weaknesses, will not provide the ”silver bullet” to your information security challenges. Any plan, policy, project or technology implemented as part of your information security program must integrate with your organization design, strategy, personnel and processes.
All your credit unions’ resources working together determine how robust and effective your information security program will be. As you look at your design, strategy, people, processes and technology, consider how each of these complements the others, or helps shore up weaknesses in other areas. As you review new security plans or projects, look at how all areas factor into the project. Look at your existing security initiatives. Do you need to make changes in one area based on changes in another?
Jim Benlein, CISA, CISM, is owner of KGS Consulting, Silverdale, Wash.