The
Information Security Forum (ISF), trusted resource for executives and
board members on cyber security and risk management, today announced the release of
Establishing a Business-Focused Security Assurance Program, the organization's latest report which explores how individuals responsible for
providing security assurance in their organization can meet the specific needs
of business stakeholders. This report equips organizations to establish and run
a security assurance program that focuses on the needs of the business. This is
accompished by outlining the need for change towards a business-focused
approach, identifying how to move from current to future approaches,
introducing three fundamental elements that underpin successful
business-focused security assurance and describing a repeatable process to
provide security assurance.
Many organizations aspire to an approach that directly links
security assurance with the needs of the business, demonstrating the level of
value that security provides. However, there is often a significant gap between
goals and reality. Improvement requires time and patience, but organizations do
not need to start at the beginning. Most already have the basics of security
assurance in place, meeting compliance obligations by evaluating the extent to
which required controls have been implemented and identifying gaps or
weaknesses. Establishing a Business-Focused Security Assurance Program
explains how organizations can build on existing compliance-based approaches
rather than replace them.
"Taking a
business-focused approach to security assurance is an evolution. It means going
a step further and demonstrating how well business processes, projects and
supporting assets are really protected, by focusing on how effective controls
are," said Steve Durbin, Managing Director, ISF. "A business-focused approach
requires a broader view, considering the needs of multiple stakeholders within
the organization: what do they need to know, when and why? Answering these
questions will enable adoption of testing, measurement and reporting techniques
that provide appropriate evidence."
Business-focused security assurance programs can build on
existing compliance-based approaches by:
- Identifying the specific needs of different business
stakeholders
- Testing and verifying the effectiveness of controls,
rather than focusing purely on whether the right ones are in place
- Reporting on security in a business context
- Leveraging skills, expertise and technology from within
and outside the organization
Most organizations run a security assurance program of some
kind, but implementation varies significantly. A successful, business-focused
security assurance program requires positive, collaborative working
relationships throughout the organization. Security, business and IT leaders
should actively engage with each other to make sure that requirements are
realistic and expectations are understood by all.
"In today's fast-moving business environment, filled with
constantly evolving cyber threats, business leaders want confidence that their
processes, projects and supporting assets are well protected. An independent
and objective security assurance function should provide business stakeholders
with the right level of confidence in controls - complacency can have
disastrous consequences," continued Durbin. "Establishing a business-focused
security assurance program is a long-term and ongoing investment. The ISF
Approach presented in this report will help organizations to review current
approaches and determine how to turn aspirations into reality."
The ISF Approach to Establishing a Business-Focused
Security Assurance Program is designed to be flexible, enabling individuals
tasked with providing security assurance to ask the right questions of business
leaders and perform the activities that will deliver the most pertinent
results. By developing a flexible, repeatable security assurance process,
organizations can promote continuous learning and improvement: lessons learned
from one review can be applied elsewhere. Organizations can use the ISF
Approach to begin providing the right level of confidence in controls.
This report
is primarily directed at individuals who are tasked with providing security
assurance for an organization. These can include security managers, security
specialists, security architects, project/program managers, business analysts
(within the IT department) and legal and regulatory compliance specialists. The
report will also be of interest to individuals in senior management who have a
governance and oversight role including the Chief Information Security Officer
(CISO), Chief Information Officer (CIO), Chief Risk Officer (CRO) and Head of
Audit. Establishing a Business-Focused Security Assurance Program is available now to ISF Member
companies via the ISF website.