By John Frisken, CA, CISA
Director Professional Services, ISG
Two important factors for implementing great security is a sound governance structure and some processed based tools to track and enforce security. With these elements in place, you have a foundation on which to drive innovation and improvements in more granular aspects of security within the organisation. I will address these two factors separately below.
Understanding how the security process functions within the governance of the organisation is an important first step to getting security embedded into the culture of the organisation. What you don’t want or need is an isolated group who are perceived to be responsible for security. Security is everyone’s responsibility, so the structure needs to reflect that.
Below is a governance structure we have implemented before that works. The diagram also shows the key flows within the Cyber Security Management System (CSMS) and how those flows are connected. Some key features of this diagram are that the feedback loops into the governance bodies are measuring and documenting the extent to which the security measures being implemented are working.
Some of the other features of this organisational model which we have found to be increasingly important are the structures for managing vendors within projects. From a security point of view the SLA / OLA mechanisms put in place to managing the outcomes of these relationships and associated investments are essential given that most application implementation and support is performed through external organisations today. Without defining what these are and having a mechanism for measuring them, this is leaving a key aspect of organisational security to be defined by an outside organisation. It might be best practice hopefully, but how do you ensure that they are being effectively implemented and administered.
The next aspect of the organisation structure are the technology assets. Managing assets is the
baseline capability required to secure the organisation. In a modern enterprise these assets will
span IT systems, operating technology, as well as the Internet of Things. These all have their
individual challenges but increasingly are being managed by ITSM applications which establish and
manage a Configuration Management System. Changes to these asset baselines, including the
security attributes, are managed through Change Management processes. These processes again
provide the opportunity to involve the security function in approving changes to assets that are
critical for security, for example secure images applied to laptops and servers or changes to
routers or firewalls.
There are also some Security Tools such as Tenable IO that link into ITSM vendor tools in order to
track and trap changes to secure assets and report them back into the ITSM Help Desk tools so
they can be actioned.
Process Based Tools
Process based tools are separate to Governance but are increasingly required to implement an
efficient and effective work force. Workflow tools allow tasks to be created and assigned for action
to ensure that important priorities are addressed. The activity associated with the actioning and
follow-up of these actioned are captured and the changed date and time stamped to provide an
enduring audit log of how effectively the organisation is addressing key items of concern, be they
risks, vulnerabilities, training, or audits. Process based tools are the basis of modern ISMS systems
that track and manage activities associated with cyber security.
Some tools that are commonly used include JIRA from Atlassian (Jira | Issue & Project Tracking
Software | Atlassian) and SBM from Micro Focus (Solutions Business Manager delivers process
orchestration for IT, development, and the business | Micro Focus).
In the above graphic, the SBM Enterprise Workflow tool sits a tier within the Service Management
Automation stack, enabling Human and Machine based workflows to be pushed out of ITSM into
user areas or development focussed activities. This enables a wide range of manual activities to
be automated within IT or the Business, reducing the cycle time for completing processing and
also improving the accuracy with which they are performed.
A sample workflow enabled CSMS is shown below. It features workflows within a number of
domains all focused around key ITSM processes such as Change Mangement and Configuration
Management. Within this workflow model new instances of activities would be created that can be
assigned and managed within the CSMS Solution. Various types of activities would be defined,
each with their defined states that would allow activity to progress within each activity until the
output is reviewed and approved.
This allows control to be maintained over all activities executed within the CSMS and any
exceptions identified and escalated for management action. Although this is not rocket science,
without the structure and automated processes within an enterprise workflow system, it becames
much more difficult to maintain control.
Another advantage of enterprise workflow systems is that they can be used to track time within
each activity, allowing activities to be budgetted for and managed from a cost point of view. This
becomes a particularly critical feature where specialist tasks need to be outsourced and the costs
of these activities managed.
Maturity Models
Having estbalished the foundation for governance of your CSMS propgramme, the concrete work
of building and operating controls can be undertaken with confidence. The first step will be to
define the programme of work required to put in place the appropriate controls to manage the
organisation. This can start in a number of ways, but a good place to start is a Maturity Assessment.
This help management to understand where the organisation is at the moment and where they
wish to be in the future. Establishing these caseline targets allows the organisation to build a
programme to bridge the gaps between the current and future maturity states.
Below is a sample map of the structure of a C2M2 Maturity Assessment, which is commonly used
in the Electricity and Utilitiy industries to measure maturity.
The task of defining the program is assisted by understanding where the gaps are and then
working with managemnet to prioritise those gaps.
In Australia the Essential Eight Maturity model is commonly used for small to medium
organisations as well as Schools and families. It focusses on the essential controls to assist with
minimising exposure to malware and other online threats that are ever present today in our
connected enviornment. There are a range of vendors who have produced checklists and software
that can advise on application of the model.
The maturity framework can be downloaded here PROTECT – Essential Eight Maturity Model
(October 2021).pdf (cyber.gov.au)
Some gaps may of be of more concern to management than others, allowing a set of priorities to
be established for the activities. This is important if there is more activity than can be undertaken
within a single year for either cost or timeframe reasons.
Conclusion
The protection offerred by a governance approach to Cyber Security enabled using a management
system enforcing a process for security arises because it is a continuous loop of review and action
to improve an organisations security posture. This is in contrast to a controls verification approach
which attempts to create a snapshot of compliance at a point in time without reference to an
underlying process managing achievement of the control assessment result.
The use of a governance approach to cyber security is a reminder to all participants of the ongoing
vigilance required to efectively address risks in this area. The use of a management system
engages all participants in continously checking critical controls and maintaing evidence of their
operation. The decentralised approach to management of controls in this way simplifies collection
of evidence and subsequence audit activities.
About the Author
John Frisken, CISA, CA
Is an information security and application development specialist with a distinguished career in
professional practice with Ernst & Young and, subsequently, as founder and owner of the
Information Systems Group, an international security consulting, systems integration and secure
development company headquartered in Sydney, New South Wales, Australia. Since establishing
ISG in 1996, Frisken has overseen the delivery of ISG’s services including ISMS implementation
projects for many large public sector, judicial, and utility organisations in Australia and
development of complex applications leveraging advanced messaging and secure platform
technologies.
John is a Member of ISACA, Institute of Chartered Accountants in Australia, and Australian
Information Security Association. John led the adaption of the COBIT framework into the IFAC
Delivery and Support Standards which are aimed at explaining the application of the framework
within a business context. He currently serves as ISG’s director of professional services.