The answer is “yes, your security program absolutely needs maintenance.”
Every organization should have an information security program, which most people recognize. However, what most don’t realize is that their program needs proper upkeep or maintenance. There should never be a point where an organization is overconfident after implementing a security program because there is always room for improvement.
Take, for example, a Formula 1 race car. It has a team of engineers and a pit crew that provides their knowledge and expertise to maintain the car and keep it running at its best. If there are any issues, the car is called back to the pit to be worked on. The same should apply to an organization’s information security program.
To assist the information security community in managing and operating the ongoing security program, a management model must be adopted. In general, management models are frameworks that structure the tasks of managing a particular set of activities or business functions.
There are five domains in the Information Security Maintenance Model:
External Monitoring
The objective of the external monitoring domain within the maintenance model is to provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks. That awareness leads to the creation of an effective and timely defense. By collecting this information, an organization is able to review their current security measures to ensure that they are running up to par. If there is any room for improvement, it would be made here since this is the first line of defense.
Internal Monitoring
Internal monitoring provides an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses. This awareness is important for internal networks which interface directly with the external networks. An organization’s internal network will house mission critical systems, which need the most protection. The information collected in this domain will be useful when the Assessment and Remediation domain is analyzed.
Planning and Risk Assessment
Overall, this stage keeps an eye on the entire information security program. This is done in part by identifying and planning ongoing information security activities that further reduce risk. Also, the risk assessment group identifies and documents risks introduced by both IT projects and information security projects, as well as identifies issues that may be hidden in the current environment. Periodic review of an information security program, along with planning for improvements, is a best practice for every organization.
Vulnerability Assessment and Remediation
The primary goal of the vulnerability assessment and remediation domain is the identification of specific, documented vulnerabilities and their timely remediation. A vulnerability assessment can involve purposely attacking an organization from both external and internal networks to test its security program. Using the vulnerability information found in the previous domains, an organization can properly assess threats and create a remediation plan for them. The objective of remediation is to repair the flaw causing a vulnerability instance or remove the risk from the vulnerability.
Readiness and Review
Finally we reach our last domain, the Readiness and Review. This step keeps the information security program functioning as designed and continuously improving over time. I think of this as the military constantly running exercises to improve their readiness and response. After each exercise, their actions are evaluated and reviewed. Any areas that require improvement will be documented and brought to other areas for further remediation.
Upon the successful implementation and testing of a new and improved security profile, an organization might feel more confident of the level of protection it’s providing for its information assets. It shouldn’t. By the time the organization has completed implementing the changes mandated by an upgraded security program, a good deal of time should have passed. In that time, everything that is dynamic in the organization’s environment has changed.
(Image Source: iCLIPART)