By Forrester Research
Special to CNET News.com
January 27, 2004, 1:30PM PT
By Michael Rasmussen, principal analyst
The chief information security officer, or CISO, faces a seemingly impossible task--securing the enterprise and keeping it secure.
The past three years have changed top managers' perspective on information security:
While they thought that security was merely a technical problem that could be solved with the purchase of a firewall,have shown that this is not enough.
While they thought that the biggest threat to their enterprise was a, Sept. 11, cybercrime, identity theft, intellectual property rights and privacy have shown the threat to be much broader.
While they thought that security was merely an information technology issue, the, , the , and the continuing rise of regulatory and legal exposure have shown that governance is key to information security.
Building from the top
This then builds out into an information security architecture and a vision aligned with these established principles. Next, to properly align and measure information security to this framework, the detailed specific controls have to be established so that the CISO can manage the gaps, effectiveness, compliance and risk to the organization.
The CISO is thus challenged with taking information from the depths of the technical weeds, aligning this information with business objectives, policies and compliance requirements, and then reporting to executives on the risk the organization faces. He or she must manage many islands of information not only within the security department but also from many other areas outside the his or her sphere of direct control. In managing the complexity, interrelationship and differentiation of all of these demands, the CISO needs a knowledge management dashboard that supports the synthesis, analysis and reporting of the state of information security in the enterprise.
The CISO dashboard provides a portal view into the state of information security in its various domains--policy, risk, compliance, asset, incident, threat/vulnerability and configuration management. Building on the technologies already deployed, information is fed into the dashboard to provide the high-level objective analysis and control needed to manage the information security program.
The view from the top
Work flow represents the core component for compliance tracking, incident management, vulnerability remediation and many more security domains. The system needs the ability to track the awareness and acceptance of policies, as they are developed--from writing to legal review to business manager review to final acceptance and publication. Compliance involves a strong work flow that hands off the documentation and adherence to security controls to individual action takers and auditors.
Business process and geographic views must be added. Security in the past was managed purely in the realm of technology, but today's demands force security to be aligned with the business. As a result of Sarbanes-Oxley, executives need to know the status of internal controls of the financial systems. As a result of privacy legislation such as the EU Data Protection Directive and HIPAA, organizations must identify which systems and business processes involve personal information and identify the status of compliance controls on those systems and those with which they interact.
Task management looks at remediation and response. The CISO and supporting manager need to be able to assign to-do items to specific individuals. These tasks need to be able to be tracked and integrated into the larger work flow framework.
Document/knowledge repository averts the need to create everything from scratch. Organizations are looking for the knowledge the system provides. The dashboard system should organize and define security controls, policies and compliance requirements--giving the organization a foundation to adapt and build upon.
Notification is the ability to alert individuals when thresholds are crossed. When a critical vulnerability has just been announced that exposes the financial systems or personal information, the organization needs the action takers to be alerted immediately. For example, a critical security incident that involves California resident information requires under state law that the organization take incident response, containment and disclosure steps right away.
Data import and manipulation involves the integration of many sources of data. The ability to take in various document and database formats is critical; a primary focus should be protocol standards such as the Extensible Markup Language. The system should also be able to manipulate/normalize the data into a format it can use with other data.
© 2004, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.