A brand is a promise that is made to the company’s customers. Over time, customers trust the brand based on the trustworthiness of the company. Security plays an important role in protecting that trust by managing risks to confidentiality, availability, and integrity. Customers expect that the information systems that they access to be available, accurate, and that those systems will properly protect the private information that they share with the company in order to conduct the transaction.
Security policy plays an important role in a mature security management process, because it is the expression of management’s decisions about how the business will be managed. Often the policies will be formulated to comply with specific governmental regulations or industry requirements but are tailored to the specific needs of the business.
Various administrative and technical controls are implemented to enforce the security policies. A security incident is defined as a violation of a security policy and should (by policy) require planned response per the organization’s security incident handling procedures.
Role-appropriate security training is important because employees need to be provided with the knowledge and skills needed to do their part in maintaining and enhancing the organization’s security. Security awareness activities augment training by reminding employees of why the various security policies exist and of the possible adverse consequences of a breach of security. Certain types of attacks that exploit trust, such as social engineering, can only be mitigated via organizational security awareness.
Security management is good management. Implementing security controls does impose some costs on a business, but security needs to be tailored to the risk profile of the organization and should empower positive change, albeit in a safe and secure way. Just like a good QA program helps the company avoid the costs of poor quality, a good security management program helps the company avoid the costs of poor security. Bad things happen to good companies and all companies will have security incidents. What separates the “great” from the “good” is how quickly a security incident is detected and responded to. Generally speaking, the more rapid the response--the lower the cost.
All companies have constrained resources and investments in security controls have an opportunity cost that must be balanced with the other needs of the company. For this reason, risks must be ranked and prioritized and if possible quantified. Management can decide to mitigate certain risks while accepting other risks. A good risk assessment program creates visibility and facilitates this decision making process.
Threats continue to evolve and modern malware have many permutations. The most current school of thought, as promulgated by organizations such as SANS, is that it is futile to try to enumerate all variations of “evil” and that the best way to detect a security incident is to identify a deviation from an approved baseline. If a firewall or a web server has a configuration that has not been approved via the organization’s change management process, it is a security violation. This is whether the change was made by a hacker or a well-meaning developer because unapproved change introduces unanalyzed risks and potentially new vulnerabilities that no one may be aware of. Planning, automated tools, and separation of duties can be implemented to achieve this level of security program maturity without losing business agility.