Information Security Program Life Cycle

While the cores of various security standards and frameworks are similar, it is important to understand that a security program has a life cycle that is always continuing, because it should be constantly evaluated and improved upon. The life cycle of any process can be described in different ways. We will use the following steps:

  1. Plan and organize
  2. Implement
  3. Operate and maintain
  4. Monitor and evaluate

Without setting up a life-cycle approach to a security program and the security management that maintains the program, an organization is doomed to treat security as merely another project. Anything treated as a project has a start and stop date, and at the stop date everyone disperses to other projects. Many organizations have had good intentions in their security program kickoffs, but do not implement the proper structure to ensure that security management is an ongoing and continually improving process. The result is a lot of starts and stops over the years and repetitive work that costs more than it should, with diminishing results.

The main components of each phase are provided here.

Plan and Organize:

  • Establish management commitment.
  • Establish oversight steering committee.
  • Assess business drivers.
  • Develop a threat profile on the organization.
  • Carry out a risk assessment.
  • Develop security architectures at business, data, application, and infrastructure levels.
  • Identify solutions per architecture level.
  • Obtain management approval to move forward.

Implement:

  • Assign roles and responsibilities.
  • Develop and implement security policies, procedures, standards, baselines, and guidelines.
  • Identify sensitive data at rest and in transit.
  • Implement the following blueprints:
    • Asset identification and management
    • Risk management
    • Vulnerability management
    • Compliance
    • Identity management and access control
    • Change control
    • Software development life cycle
    • Business continuity planning
    • Awareness and training
    • Physical security
    • Incident response
  • Implement solutions (administrative, technical, physical) per blueprint.
  • Develop auditing and monitoring solutions per blueprint.
  • Establish goals, SLAs, and metrics per blueprint.

Operate and Maintain:

  • Follow procedures to ensure all baselines are met in each implemented blueprint.
  • Carry out internal and external audits.
  • Carry out tasks outlined per blueprint.
  • Manage SLAs per blueprint.

Monitor and Evaluate:

  • Review logs, audit results, collected metric values, and SLAs per blueprint.
  • Assess goal accomplishments per blueprint.
  • Carry out quarterly meetings with steering committees.
  • Develop improvement steps and integrate into the Plan and Organize phase.

All of the items mentioned in the previous list must be covered. This list was provided to show how all of these items can be rolled out in a sequential and controllable manner.

Although the standards and frameworks are very helpful, they are also very high level. For example, if a standard simply states that an organization must secure its data, a great amount of work will be called for. This is where the security professional really rolls up her sleeves, by developing security blueprints. Blueprints are important tools to identify, develop, and design security requirements for specific business needs. These blueprints must be customized to fulfill the organization’s security requirements, which are based on its regulatory obligations, business drivers, and legal obligations. For example, let’s say Company Y has a data protection policy, and its security team has developed standards and procedures pertaining to the data protection strategy the company should follow. The blueprint will then get more granular and lay out the processes and components necessary to meet requirements outlined in the policy, standards, and requirements. This would include at least a diagram of the company network that illustrates:

  • Where the sensitive data resides within the network
  • The network segments that the sensitive data transverses
  • The different security solutions in place (VPN, TLS, PGP) that protect the sensitive data
  • Third-party connections where sensitive data is shared
  • Security measures in place for third-party connections
  • And more…

The blueprints to be developed and followed depend upon the organization’s business needs. If Company Y uses identity management, there must be a blueprint outlining roles, registration management, authoritative source, identity repositories, single sign-on solutions, and so on. If Company Y does not use identity management, there is no need to build a blueprint for this.

So the blueprint will lay out the security solutions, processes, and components the organization uses to match its security and business needs. These blueprints must be applied to the different business units within the organization. For example, the identity management practiced in each of the different departments should follow the crafted blueprint. Following these blueprints throughout the organization allows for standardization, easier metric gathering, and governance.

To tie these pieces together, you can think of the ISO/IEC 27000 that works mainly at the policy level as a description of the type of house you want to build (ranch style, five bedrooms, three baths). The security enterprise framework is the architecture layout of the house (foundation, walls, ceilings). The blueprints are the detailed descriptions of specific components of the house (window types, security system, electrical system, plumbing). And the control objectives are the building specifications and codes that need to be met for safety (electrical grounding and wiring, construction material, insulation, and fire protection). A building inspector will use his checklists (building codes) to ensure that you are building your house safely. Which is just like how an auditor will use his checklists (COBIT or NIST SP 800-53) to ensure that you are building and maintaining your security program securely.

Once your house is built and your family moves in, you set up schedules and processes for everyday life to happen in a predictable and efficient manner (dad picks up kids from school, mom cooks dinner, teenager does laundry, dad pays the bills, everyone does yard work). This is analogous to ITIL – process management and improvement. If the family is made up of anal overachievers with the goal of optimizing these daily activities to be as efficient as possible, they could integrate a Six Sigma approach where continual process improvement is a focus.