Organizational information security assessment
We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the inpidual who makes such decisions.
It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.
There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:
- Internal assessment: An internal assessment can be viewed in two ways:
- An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
- If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
- Third-party assessment: The third-party assessment can be viewed in two ways:
- A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
- While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.
Recommendation
In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.
The following is an abbreviated example to begin the process of performing an internal assessment:
- Conduct an initial internal assessment:
- As an information security leader you need to understand the organization you work in:
- Meet with business and IT leaders:
- Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
- Meet with subject matter experts.
- Document areas for improvement and places where you can celebrate current successes.
- Brief leadership on your findings.
- Meet with business and IT leaders:
- Based on your findings recommend to leadership that a third party be brought in to dig deeper:
- No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
- Information security program reviews.
- Red team penetration test capability.
- No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
- As an information security leader you need to understand the organization you work in:
- Conduct a third-party assessment:
- Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
- Make sure that the assessment is non-punitive:
- Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire inpiduals or to point out mistakes.
- Make sure that the assessment is non-punitive:
- Ensure that the third-party assessment has management buy-in and support:
- Without top-level support (Board, CEO), it might be easy for inpiduals to ignore your assessors.
- Ensure that the third party has access to the internal resources required:
- Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
- Conduct the assessment and produce the findings.
- A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.
- Work with IT leadership and subject matter experts to discuss the purpose of the assessment: