SCRAM

From an information security perspective as well as that of an IT perspective, there are a bevy definitions in the industry today that have multiple meanings and seem to ebb and flow with the tides.  Couple this with the varied organizational structures, reporting requirements, siloed teams, charters, processes, procedures and overall roles and responsibilities within the company and I start to get a bit confused.  Let’s take a look at what we have to deal with:

One of the requirements I have is to deliver reports to Security Risk Management Reviews after performing a Security Risk Assessment (part of the Security Risk Management effort from the office of the Chief Information Security Officer who reports to the Chief Risk Officer who reports to the Chief Financial Officer who reports to the Chief Executive Officer) to discuss Security Risk Categories derived from the Security Risk Traceability Matrix as directed by the Security Risk Program Manager. The Security Response Team from the Security Response Center is also asked to be in attendance as is the Security Service Provider (not sure if it is really Managed or not) to discuss Security Protocols and progress on training staff on Security Services Markup Language as part of the Security in the Systems Development Lifecycle effort. 

As part of this report, we also present information Threat and Vulnerability Management taken for the Vulnerability Assessment Team who provides the Vulnerability Assessment Report as part of their Vulnerability Assessment Review. They report into the Vulnerability Assessment Management and Compliance Group who are housed in the Surveillance and Warning Center co-located with the Computer Incident Response Team.  Computer Incident Response Team is activated depending upon certain Incident Triggers fed by our Threat Simulation and Scenario Model dictated to us from the Threat Expert Analysis System overseen by the Threat Situational Awareness Team who ensures that Threat Knowledge Counter Measures are deployed (based upon Threat-Vulnerability Pairs and associated Controls relative to the Safeguards and Protection Strategies available – sometimes known in our environment as the Threat Evaluation Countermeasures Agent), that then feeds back into the Threat Resolution Model that can modify overall Threat Levels going forward and impact the Threat Index.

Problem Management activities are then executed with Root Cause Analysis a part of the overall activities viewing the Configuration Management Database as part of the overall Configuration Management Program managed by the Program Management Office who has no relation to the Threat Situational Awareness Team, the Threat Coordination Group (herein as yet unnamed), the Security Response Team, the Security Risk Program Manager or the Surveillance and Warning Center although some members sit on several of the teams if approved to do so by the Committee on Definitions or their subsequent sub-committees.  

Once the data is derived from the Root Cause Analysis and the Threat Resolution Model, Change Management procedures are automatically put in place that feed our Release Management cycle.  Should any of the above activities misfire in any shape or form, we may have Capacity and Availability Management issues that cause Service Level Management problems and we may have to trigger our Disaster Recovery Teams based upon the Business Impact Assessment depending upon the Recovery Time Objective and the acceptable Recovery Point Objective depending upon the funding received and eventually a need to activate the Business Continuity Plan depending upon the Impact Scenarios as derived from the Threat Expert Analysis System overseen by the Threat Situational Awareness Team who ensures that Threat Knowledge Counter Measures are deployed (based upon Threat-Vulnerability Pairs and associated Controls relative to the Safeguards and Protection Strategies available – sometimes known in our environment as the Threat Evaluation Countermeasures Agent), that then feeds back into the Threat Resolution Model that can modify overall Threat Levels going forward and impact the Threat Index, but I believe I already cover that.

Ultimately, the overall Command, Control, and Communication process flow is activated through the Command and Control Information System ensuring Intelligence Interoperability that may have an impact on our Financial Management efforts that will definitely impact next years Funding Model, which is already diminishing currently at 75% of 1% of the overall Information Technology Budget managed by the Chief Information Officer.

 The Security, Compliance, Recoverability, Availability Management team is held responsible for the whole effort but has nary a stitch of authority to modify inappropriate behaviors or outcomes. Overall it is just plain Business Risk. I could go on but funding for this blog was cut.