An IT Management and Security or Information Security Management is the policies set for managing sensitive data of an organization. Any organization that has implemented it has a high rate of success, as compared to those organizations who have not implemented it. The goal of Security Management is to identify all the risks and minimize them according to the organization’s needs. It is neither necessary nor possible to completely remove all the risks in an organization. The implementation and management of IT and Security is necessary in all big organizations in order to help the Senior Management to continue its business without having a big danger of loss. Financial information, such as tax details, employee payroll information, and personnel records is very critical for any organization and should not be compromised at any cost. The effects of losing such information could result in the loss of a company’s reputation, as well as financial loss. The loss of assets can be categorized in two terms:
- Loss of tangible assets: Those assets that have physical value and can be measured, i.e, Servers, Computers, etc.
- Loss of intangible assets: Those assets that cannot be measured in terms of quantity, i.e, policy documentation, loss of reputation.
Therefore, it is necessary to defend these assets from theft and loss through a proper management system.
IT Security and Management Hierarchy
The hierarchy of IT Management and Security goes from top to bottom where the upper tier consists of Security Governance, the second tier consists of Middle Management, i.e., Chief Information Security Officer, and the third tier consists of technical people, i.e, System administrators.
Role of IT and Security Governance
The role of IT and Security Governance is to ensure that the needs of stakeholders, options, and conditions are analyzed to determine the balanced and agreed-on enterprise objectives that are to be achieved. It is necessary that the goals of Security Governance be aligned with the goals of the organization. These overall goals include:
- Providing strategic direction
- Reaching security and business objectives
- Ensure that risks are managed appropriately
- Verify that the enterprise’s resources are used responsibly
Analyzing the performance of an organization
Performance is analyzed through various techniques with Security Governance. The most important technique is by data visualization, which shows the overall picture of what is happening in the organization. Data visualization is the presentation of data in a graphical format. Data can be visualized by bar charts and graphs, which show what the positive and negative aspects of the organization are, and then to compare the results with the previous performance. Security Governance defines what the current state is and what the desired state is. On the basis of these two factors (the current and desired state), Senior Management makes the decisions. An example of Data visualization is given below:
Security needs to be integrated into the business processes in order to achieve the desired goals. The goal is to reduce security gaps through organizational-wide security programs. In order to integrate IT with business, the following steps are required:
- Identify scope
- Integrate physical security
- Risk Management
- Compliance and privacy
- Business continuity management
- Plan for disaster recovery
An effective information security program and its integration with business are provided through the adaption of a security framework. A security framework consists of the following points:
- Defines the information security objectives
- Aligns with business objectives
- Provides metrics to measure compliance and trends
- Standardizes baseline security activities
The most important thing to consider before integrating a security program with a business is to identify and value the culture of the organization. The strong culture of an organization results in effective business results.
Risk Assessment Process
After making clear policies and implementing the security program and integrating it with corporate business, risk assessment is the main purpose of security professionals in order to identify the critical assets at risk. Risk is any future event that, when it occurs, has a negative impact on the business objectives. In order to perform the risk assessment, security professionals in the organization must know the objectives of the organization and the scope of the risk assessment. Risk assessment is the part of long-term risk management that consists of risk assessment and risk analysis. It is a process of identifying critical assets at risk and mitigating it with the desired control. While risk analysis is the review of risks associated with a particular event, risk management consists of both internal and external factors. Internal factors include culture, organizational maturity, corporate history, and external factors like regulations, industry, etc.
The risk assessment process consists of nine steps. These steps may vary from organization to organization based on their needs. The steps are given below:
- System characterization
The first step is to identify all the assets so that when they are compromised, they affect the organization in a negative way. After successfully identifying all the assets, values are assigned to these assets based on their criticality.
- Threat identification
In the second step, all the threats associated with the given assets are identified, e.g., the threat of natural disasters, theft, wars, etc.
- Vulnerability assessment
In this step, all the loopholes are identified that are associated with the given asset and they are all documented with the priority level.
- Control lists
After identifying all the loopholes of the assets, all the controls needed to stop the vulnerabilities are listed.
- Likelihood of threats
The likelihood of all the threats is listed with the priority level from high to low. This step shows how much time this threat or event occurs. This can be calculated from the past history or from advice from consultancy.
- Impact of threat
In this step, the magnitude of the threat is identified and how much damage could be done if the threat or event occurs.
- Risk identification
Risk identification is the combination of the above two steps, i.e, the likelihood and impact of a threat. Risk is high if its likelihood and impact are low and vice versa.
- Control recommendations
After identifying all the risks, controls are recommended from step four and step seven. After analyzing all the controls and risks, recommended controls are implemented after the approval of senior management.
The whole process is documented and presented to the senior management in the shape of a strong business case. A business case is the most important thing that security professionals utilize in order to gain the support of senior management.
Not all risk is necessary to mitigate during the risk assessment process. The amount of risk that an organization is willing to accept is called residual risk. The biggest factor for accepting risk is that the associated risk might not affect the organization’s objectives. There are four possible things to do when the risk is identified:
- Risk mitigation: Risk mitigation is a term used to remove the risk by applying some security control.
- Risk transference: Risk transference is to transfer the risk to some trusted third party, so that they can remove the risk. Risk transference is necessary when an organization wants independent advice from a security professional.
- Risk acceptance: Risk acceptance is the term used to describe that an organization cannot afford to continue its business and that they accept the risk. This happens when the impact of the risk and its rate of occurrence are too high for an organization.
- Risk avoidance: Risk avoidance is to avoid the risk completely and do nothing with it. This happens when the risk has very low impact.