Industry View
Information Security and the Importance of Context
Those entrusted with information security must raise their contextual awareness, say Ben Rothke and Benjamin Tomhave
By Ben Rothke & Benjamin Tomhave, BT Professional Services
1. Know your risks. The foundation of any information security program must be a formal and comprehensive risk assessment, whether that be with ISFâ¬"s risk tools (e.g. IRAM or FIRM), RMI's FAIR, or any number of other methodologies. If you don't know your risks, you have no idea of your context, no idea of who your enemies are. You end up doing a lot of security stuff, but do not have much to show for it.
2. Determine protection levels. Once your risk assessment is complete, you need to create a formal plan on how much security you want to deploy. This is a combination of business and technology requirements. You need to find that point where the right amount of security to be deployed is. This determination can leverage any number of prioritization approaches, such as by performing a business impact assessment (see ISF's IRAM, again) or even by leveraging a formal security maturity model, such as SSE-CMM.
3. Create the information security program. This requires management support and a CISO with an effective team and a strong project manager. Many different frameworks can be leveraged in building out the security program, though our favorite is leveraging the ISO 27000 series standards.
Follow those three steps and you will have created a world-class information security organization. But if you blindly buy the security appliance of the month, and chase perceived threats, your security staff will be nothing more than simple screeners. It's all about context. ##
Ben Rothke CISSP, QSA (ben.rothke@bt-ps.com), author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
