Friday, February 15, 2008

Hail the New Information Security World

As it happens I'm deep in Information Security management at the moment which is an interesting diversion from HPC. A young turk is trying to set up an Information Security practise at the firm of some chums and has been asking my advice on where Information Security is at and where it's heading. His hypothesis was to structure it along three lines: architecture (application and networks), implementation and compliance.

This, I feel, reflects the information security world of the past - blighted with too many people who write abstruse policies which no one reads and are heard to continually say "no you can't do that".

I feel it's time for a change so I proposed the following thre
e areas:
  • Security Architecture
    • Strategy
    • Governance
    • Policy framework, policy and process design
    • Security architecture: security architecture patterns
    • Security API design and analysis
    • Operational infrastructure design and implementation
    • Product selection procurement
    • Process design
  • Information Security Operations
    • Process implementation and operation
    • SLA, compliance monitoring and reporting
  • Information Security Analytics
    • KRI production, trends, outlier analysis, event correlation, ad hoc reports, event visualisation
    • Forensic evidence capture, expert witness
    • Risk Assessment
But there's still something missing - the process of cumulative risk management. Click the image to expand:


Iang said...

What's your definition of governance? I see a lot of confusion around this term in that some people in security and IT think it is akin to management.

Mine is this: protect the assets. In contraposition to investment, which is to grow the assets.

Graeme Burnett said...

Ian - the technical definition is "the rules and procedures which ensure an organisation is properly run". Management is the monitoring of the rules and their effectiveness. Strategy determines the direction that governance should take and is an executive, not operational, management issue. Sadly, it is all too common for operational management to bend the rules or change them due to weak executive management...