Professional Documents
Culture Documents
People This core element is the most important. The people element c omprises
the people and various roles and responsibilities within the organization. These
are the people that are put in place to execute and support the proc ess. A few
key roles inc lude senior management, sec urity administrators, system and IT
administrators, end users, and auditors.
Policy This element comprises the sec urity vision statement, sec urity policy and
standards, and the c ontrol documentation. This is basic ally the written security
environment—the bible that the security proc ess will refer to for direction and
guidance.
Technology This element includes tools, methods, and mec hanisms in place to
support the process. These are core tec hnologies—the operating systems, the
databases, the applications, the sec urity tools—embrac ed by the organization.
The technology then is the enforcement, monitoring, and operational tool that
will facilitate the process.
The c onc ept is that each core element c ould be measured for effec tiveness
and coverage. Also, issues c an be measured against the model to determine
what controls c overage for that issue. The objec tive then is to move issues
into the intersec ting areas of the elements—with the final objective of moving
the issue into the middle area of greatest coverage. As risk issues are
identified, each step to manage the risk will fall into one of the core elements
of people, polic y, or technology. If the issue is resolved with one of the
elements, addressing one of the other elements can enhance this resolution. As
the core elements are added to the controls environment and utilized in
concert, the issue is then resolved on several fronts. The controls c overage is
greater.
Filtering software is
deployed on the firewall.
Now the c ontrols
environment is covered
by all three elements.
Figure 3 demonstrates
when an issue is c overed
only by two of the three
elements. It also shows
the consequence of a
limited controls
environment.
expresscomputeronline.com/…/M… 2/5
18/07/2009 Defining an enterprise-wide Secur…
The Internet connection
is protected by the
deployment of a firewall.
Core elements c overage = 1.
The firewall administrator rec eives specialized training and develops the skill set
nec essary to administer the firewall. Core elements c overage = 2.
The firewall administrator leaves the organization. The c ontrols now rely back
on just one element—the technology.
How c an the model be used to identify an alternative solution to Figure 3?
The firewall administrator rec eives specialized training and develops the skill set
nec essary to administer the firewall. Core elements c overage = 2.
Firewall operating standards are written and c ontrols are documented. Core
elements coverage = 3.
From these examples, it is easy to see how the PPT model c an simplify the
analysis of a risk issue. If the issue is broken down into the three core
elements, action items c an be determined for each core element. In this
manner, control coverage can be moved from one element to two, and
ultimately to coverage by all of the elements.
The PPT model sounds like a very comfortable proposition but during ac tual
implementation, CIO's used to get lost in the framework. This is simplified by
the ESAS tool.
Within the four "pillars" of the program, several phases are included.
The next facet of the Information Security Framework includes the design of
the sec urity environment also called the Design Phase. This is the stage where
expresscomputeronline.com/…/M… 4/5
18/07/2009 Defining an enterprise-wide Secur…
the organization documents its security policy, the control environment and
deals with c ontrols on the technology level. A key element in this proc ess is
not only the clear definition of sec urity polic y and technical control information,
but also the "Security Model" of the enterprise. Information Classifications and
Risk Assessment methods fall under this component. These processes allow the
organization to manage risk appropriately and identify the risks and values of
information assets.
The final fac et of the Information Sec urity Framework is the Implementation
phase. This begins by documenting the Administrative and End-User guidelines
and procedures. These guidelines must be succ inct and flexible for the
changing environment. Enforcement, Monitoring, and Recovery processes are
then layered on for the operational support of the security program. These
processes are "where the rubber hits the road". All the benefits of the Sec urity
Program design and documentation is diminished if it is not put into effec t on an
operational day-to-day basis.
Rahaju Pal / Dhawal Thakker are Technical Consultants, Operational and Systems Risk Management
Group (OSRM) PricewaterhouseCoopers. They can be reached at dhawal.thakker@in.pwcglobal.com ||
rahaju.pal@in.pwcglobal.com
expresscomputeronline.com/…/M… 5/5