This, I feel, reflects the information security world of the past - blighted with too many people who write abstruse policies which no one reads and are heard to continually say "no you can't do that".
I feel it's time for a change so I proposed the following three areas:
- Security Architecture
- Strategy
- Governance
- Policy framework, policy and process design
- Security architecture: security architecture patterns
- Security API design and analysis
- Operational infrastructure design and implementation
- Product selection procurement
- Process design
- Information Security Operations
- Process implementation and operation
- SLA, compliance monitoring and reporting
- Information Security Analytics
- KRI production, trends, outlier analysis, event correlation, ad hoc reports, event visualisation
- Forensic evidence capture, expert witness
- Risk Assessment
View Graeme Burnett's profile
2 comments:
What's your definition of governance? I see a lot of confusion around this term in that some people in security and IT think it is akin to management.
Mine is this: protect the assets. In contraposition to investment, which is to grow the assets.
Ian - the technical definition is "the rules and procedures which ensure an organisation is properly run". Management is the monitoring of the rules and their effectiveness. Strategy determines the direction that governance should take and is an executive, not operational, management issue. Sadly, it is all too common for operational management to bend the rules or change them due to weak executive management...
Post a Comment