Security vendors have the unique ability to evaluate and assess the security and risk capability of various government agencies and compare the strengths and weaknesses of different approaches, assess maturity, and identify key issues hindering the development of an appropriate cyber security defence.
Some agencies fair better than others but all have the same mandate which is to treat security and risk issues of public data and systems, in a professional and responsible manner (hopefully using best practice techniques, standards, resources and strategies).
One of the more common failings (particularly in outsourced environments) is for the ICT department to deliver only ‘technology’ solutions and not consider the supporting functions required to deliver an outcome at the ‘service’ level. i.e the resources, processes, standards, capabilities required to deliver the ongoing service which the technology enables.
This is very true about security, often the tool itself is provided with no thought as to how it will be supported or even delivered as an effective control with the required integration, training, support, management, SLA’s, reporting, ongoing assurance, or even standards used for configuration and deployment.
Here are some keys to ensuring that security services remain effective in your organisation:
1. Establish a security framework
Describe how security works within the organisation, what the ‘lines of defence’ model is and how it works. Identify the organisational structure and standards to used to organise security, risk, audit and governance functions in your organisation.
2. Produce a RACI which assigns the ownership of responsibilities
Often, agencies promote the ‘diffusion of responsibility’ by not clearly defining who is responsible for the delivery of cyber security and how the ‘lines of defence’ model works in relationship to this. i.e if an audit, security certificate, or risk assessment identifies control failures how is the CE, Board, or other Governance functions advised and who is responsible to remediate, under what timeframes.
3. Draft the Policies and Standards to be used for security
Ensure that detailed policies and standards are created to mirror the outcomes desired by Board, Governance, and Business functions and regulatory requirements related to the agency mandates.
4. Define an enterprise-wide security architecture
Ensure the alignment of security architecture with the framework, RACI, policies and standards defined above. Use detailed standards and ensure that security services are defined and clearly articulated.
5. Develop detailed security services
Define in detail what security services are required, what the SLA’s are for their provision, who is responsible for the delivery, operation and support of each control for the enterprise. Define how centralised assurance is provided for each control or service, which standards define configuration, the operational and management of each control etc. Starter for 10…
Identity management, authentication, access control, logging, monitoring, network/gateway/FW’s, CASB/WAF, application security, vulnerability management, security assurance/reporting. Create your own list of services defined by your agency requirements.
6. Embed a pervasive, centralised, security control assurance service
The ongoing centralised management of security services assurance will pay huge dividends in releasing the need for vendor re-work / churn and repetition. ‘Do it once and reuse’
7. Risk is not Security and vice versa – don’t confuse the two
Clearly define organisational responsibility for the ‘delivery’ of security services, re-organise to ensure the efficient delivery of the various governance responsibilities.
Another excellent way to protect your business is with professional guidance. CANDA is an industry leader in Cyber Security in New Zealand, and can provide consultancy and other services to help your agency stay ahead. See our services page to learn more.