In this note, I am writing about IT security strategies and corresponding concepts. The content will show what a security strategy document contains and how it is maintained.
Business strategy
Before we jump into the IT security strategy, we need to learn a little more about surrounding strategies. The business strategy can be parted into sub-strategies. In our case, this will be the IT security strategy and IT strategy. You won't really see such a strategy in the wild, since it reveals deep information about an organization and its processes.
A business strategy describes where the organization is heading towards, what chances they can and will take thus corresponding risks.
IT strategy
The IT strategy is a part of the business strategy and has a similar functionality as well. It defines how the IT organization operates in the future and what their objectives are. As well as the business strategy, the IT strategy contains several sub-strategies.
- Infrastructure: Concepts about Technologies, Hardware, OS, and networks
- Application: Concepts about applications to support current or new business processes
- Sourcing: Concepts about procurement, global sourcing, modular sourcing, system sourcing, single sourcing, in/outsourcing
- Innovation: Concepts about new markets, products, and development
- Investment: Concepts about financial strategies and acquisitions.
IT security strategy
Same but different. The IT security strategy is more likely to be an internal law instead of a strategy. It describes how systems and their information need to be handled. The key contents of an IT security strategy are:
- Security definitions: Security objectives of an organization and responsibilities of employees in regards to data
- Commitment of management board: The strategy approval of the management board
- Scope of application: Boundaries of the strategy
- Organization: Defines the responsibilities and competencies of the IT security strategy
- Security & protection objectives: Superior objectives like data handling/processing, integrity, authenticity and liability
- Security control: Method and interval of security controls
Also make sure to include all risks and a proper risk management strategy after an assessment of possible risks. Keep the document updated as you are required to reassess it continually. As recently learned that we can use the PDCA cycle for this.
Plan
- Define methods for your risk management strategy
- Identify risks
- Rate risks
- Evaluate security measures
Do
- Create a realization plan for the security concept
- Execute security measures
- execution of monitoring and controls
- Treat emergency response and security incidents
- Employee training and sensitizations
Control
- Expose threats
- Control compliance of requirements
- Evaluate the effectiveness and efficiency of security measures
- Create management insights
Act
- Document issues and act accordingly
- Improve security measures
Also make sure to ensure the completeness of the IT security strategy with a control model (CoBIT for example). Include security criteria, internal/external requirements, relevant standards and best practices.
Comments