Virtualization Technology News and Information
Information Security Forum Report Looks at Business-Focused Security Assurance Programs
The Information Security Forum (ISF), trusted resource for executives and board members on cyber security and risk management, today announced the release of Establishing a Business-Focused Security Assurance Program, the organization's latest report which explores how individuals responsible for providing security assurance in their organization can meet the specific needs of business stakeholders. This report equips organizations to establish and run a security assurance program that focuses on the needs of the business. This is accompished by outlining the need for change towards a business-focused approach, identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance. 

Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. However, there is often a significant gap between goals and reality. Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses. Establishing a Business-Focused Security Assurance Program explains how organizations can build on existing compliance-based approaches rather than replace them.

"Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are," said Steve Durbin, Managing Director, ISF. "A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence."

Business-focused security assurance programs can build on existing compliance-based approaches by:

  • Identifying the specific needs of different business stakeholders
  • Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
  • Reporting on security in a business context
  • Leveraging skills, expertise and technology from within and outside the organization

Most organizations run a security assurance program of some kind, but implementation varies significantly. A successful, business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should actively engage with each other to make sure that requirements are realistic and expectations are understood by all.

"In today's fast-moving business environment, filled with constantly evolving cyber threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls - complacency can have disastrous consequences," continued Durbin. "Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF Approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality."

The ISF Approach to Establishing a Business-Focused Security Assurance Program is designed to be flexible, enabling individuals tasked with providing security assurance to ask the right questions of business leaders and perform the activities that will deliver the most pertinent results. By developing a flexible, repeatable security assurance process, organizations can promote continuous learning and improvement: lessons learned from one review can be applied elsewhere. Organizations can use the ISF Approach to begin providing the right level of confidence in controls.

This report is primarily directed at individuals who are tasked with providing security assurance for an organization. These can include security managers, security specialists, security architects, project/program managers, business analysts (within the IT department) and legal and regulatory compliance specialists. The report will also be of interest to individuals in senior management who have a governance and oversight role including the Chief Information Security Officer (CISO), Chief Information Officer (CIO), Chief Risk Officer (CRO) and Head of Audit. Establishing a Business-Focused Security Assurance Program is available now to ISF Member companies via the ISF website.

Published Wednesday, June 19, 2019 8:09 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2019>