The overall aim of a sound security framework is to:
- Ensure alignment of security management and operations with organisation goals and their enabling business architectures
- Provide appropriate and sound security guidance to all new business solutions and changes to business solutions in order to optimise investments
- Provide appropriate capabilities to enable the deployment of secure and safe business solutions
- Provide advice and required capabilities to manage current security exposures to acceptable risk levels based on organisationally defined and agreed risk appetite and tollerance
This is depicted in the diagram below
An aligned Information Security framework will consider the specific nature of the organisation, its business architectures – configuration of identified business functional capabilities – delivering business objectives; the way those capabilities utilise information assets; and the technologies deployed enabling the business capabilities to interact with business data and information. The framework must assess the risks to the effective, efficient and safe acquisition, processing, storage and transmission of data and information and must define security architecture to optimise those risks – i.e. minimise risks to acceptable levels within acceptable cost variables.
Also, an aligned security framework must identify and align with existing corporate governance framework within the organisation. The alignment provides the mandate and authority to execute and will enable senior members stakeholder engagement and buy-in.
A typical framework looks like the diagram below
Overarching Framework for governing and managing security
A typical framework consists of three (3) main parts:
- Governance layer, which integrates into existing organisation governance processes
- Management layer, which generates security management frameworks and processes and enforces management controls in alignment with business objectives
- Operations layer, which provides day-to-day execution and maintenance of defined and approved processes in accordance with advised management frameworks
The definition of a framework generally involves the rigour and application of systems engineering and architectural principles that starts from seeing the business as an entity set out to achieve set objectives and which must manage risks in order to deliver those set objectives.
The definition process then follows a structured set of steps to expand subcomponents of that system entity working through an architectural framework that enables the traceability of business objectives through to enabling security architectural components (see framework below)
As indicated earlier, each of the elements of an aligned security framework must provide:
- Architectural guidance and direction
- Enable organisations capabilities to implement safe and secure business solutions
- Actively support the identification and remediation of security related risks and issues
It is imperative that each of the elements of the security framework is designed in such a way that enables the easy flow of information from BAU through security management to security governance and into wider organisation governance processes. A robust feedback mechanism is sacrosanct to the successful operation of a security framework.
Each element or domain of the security framework consists of:
- Domain framework
- Domain processes
- Domain metrics
Information Security Governance
The appropriate security governance for an organisation is that which empowers balanced and aligned security management capabilities for the organisation. It validates the interpretation and alignment of business direction by the security function and serves as the bridge between top level stakeholders and security function. Visible support and buy-in of senior leadership is a necessary ingredient for security management success
Typically, from experience, I prefer to split the governance group into two.
- Selected senior stakeholders group, the “Governance Board”. This group only convenes between 3 – 4 times a year and performs more of strategic corporate alignment and upward communication roles
- Governance Board Workgroup: This workgroup is an extension of the governance board but is constituted by mid management stakeholders across the business, including IS. The group is charged with steering and championing security programmes.
Both of the groups combined form the Security Governance Forum and should have a combined meeting at least once a year. They both must operate from a structured and agreed governance charter
Architectural Board – Security function must be represented on the organisations IS Architecture Governance Board. This could be through an active senior stakeholder champion or the head of security function.
Corporate Security Policies, Standards and Procedures
Security Protocol/Principles: The Security Protocol or Principles document is a high level interpretation of Security Policy for the use of IS resources and projects (or business solutions) consuming IS resources. It expands on the requirements of the policy and lays out the necessary implications for the IS organisations and IS environment
Acceptable Use: The Acceptable Use Guideline is a user friendly interpretation of the Security Policy in a way that is understandable and actionable by a rational general user.
Triage: The Security Triage is a quick (high level) checklist used to determine how much a new business solutions should engage the organisation’s security function and in what ways. It is a pointer that aims to ensure that projects are not unnecessarily encumbered by security and also ensure that all projects requiring security engagement know when and how.
Control Matrix: The Control Matrix is a distillation of the essence of the relevant security related standards that is used by projects through the SDLC process to ensure that standards are met. This helps provide assurance to the business that required protections and safeguards are put in place. It also shows what complimentary safeguards are put in place where original control elements – as per standard – are not achievable.
This feeds into the organisation’s continuous assurance process and exception management process
The set of standards required for an environment are those that address the scope of operations of the business. Usually, they are aligned with the capabilities defined in the security framework and usually different for different environments. However, because a few core IS type services are largely the same regardless of environment some IS related standards may, on the face, appear to be similar; although the implementation and application of these standards may be different. Some examples of standards are given below.
Examples Security Standards
- Web Application [Security] Standard
- Network [Security] Standard
- Access Control Standard
- Anti Virus Standard
- Asset Management Standard
- Backup Standard
- Business Continuity Standard
- Cloud Computing Security Standard
- Communications and Mobile Computing Equipment Standard
- E-commerce standard
- Email access standard
- Encryption and key management standard
- Firewall Management Standard
- Hardware Management Standard
- Human Resources Information Security Standard
- Information Security Incident Management Standard
- Information Management Standard2
- Information Services Legal Compliance Standard2
- Logging Monitoring and Alerting Standard
- Password and Authentication Standard
- Physical Access Standard
- Software Management Standard
- Wireless Network Standard
- Vulnerability Management Standard
- Privileged Account Guidelines
Information Risk Management
The right risk management framework must be drawn up for the organisation. This must work through an engagement process to identify and define:
- Risk Appetite
- Risk Tolerance
- Key Risk Indicators (KRI) and accompany metrics
- ERM integration points and Reporting framework
- Risk Management processes
Risk management processes must be embedded across the entire organisation, including but not limited to the SDLC, Exception Management, Vulnerability and Threat Management, 3rd Party Services, etc
Policy Exception Management
Not all policies or standards would be enforceable at all times. This may be due to legacy environments or lack of capabilities or cost prohibitions. Non-compliance however should not increase the risk profile of the organisation. Hence, a risk management driven exception management process must be defined to manage non-compliance.
Information Security Assurance
A continuous assurance framework must be developed, implemented and integrated into programme delivery, BAU activities and all other IS Service provisioning processes. This must be supported by robust reporting mechanism to provide the necessary comfort to senior management that KRIs are not breached and that the organisation is operating within defined acceptable risk profile. It also ensures that senior management are able to take corrective actions before any risk factor grows out of control.
The appropriate technical capabilities for any given environment are a derivative of the specific dynamics of the environment. They are typically the outcome of working through structured architectural definition frameworks such the one briefly discussed above and are almost always different from one organisation to the other. Hence, no details are discussed in this paper.
Gabriel Akindeju (CRISC, SCF, CISM, CISSP, CISA, MSc.) is Managing Consulting Director at Risks Consult Limited. With over 16 years of combined teaching, technology, technology risk management and security experience, Gabriel is very passionate about business aligned security architectures. He helps clients with technology risks management, business aligned information security architecture, governance and management.
 Both of the Assurance Process and Exception Management Process are separate and different from the Policy Management Process
 Only defined if required. These may be owned by and incorporated into other functions within the organisation