The security program life cycle

By Shon Harris 25 Oct 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

This is the third article in our series on security governance.

A security program is the set of controls that an organization must govern. It is important to understand that a security program has a continuous life cycle that should be constantly evaluated and improved upon otherwise inconsistent efforts open the organization to increased risk.

There are different ways of describing a life cycle of any process. We will use the following steps:

• Plan and organize
• Implement
• Operate and maintain
• Monitor and evaluate

• Written policies and procedures that are not mapped to and supported by security activities
• Severe disconnect and confusion between the different individuals throughout the organization attempting to protect company assets
• No way of assessing progress and ROI of spending and resource allocation
• No way of fully understanding the security program deficiencies and having a standardized way of improving upon the deficiencies
• No assurance of compliance to regulations, laws or policies
• Relying fully on technology as all security solutions
• Patchwork of point solutions and no holistic enterprise solution

Without applying a life cycle approach to a security program and the security management that maintains the program, an organization is doomed to treating security as a project. Anything that is treated as a project has a start and stop date, and at the stop date everyone disperses to other projects. Many organizations have good intentions in their security program kickoffs, but do not implement the proper structure to ensure that security management is an on-going and continually improving process. The result is a lot of starts and stops, and repetitive work that costs more than it should with diminishing results.

The main components of each phase are outlined below:

• Plan and organize
  • Establish management commitment
  • Establish oversight committee
  • Assess business drivers
  • Carry out a threat profile on the organization
  • Carry out a risk assessment
  • Develop security architectures at an organizational, application, network and component level
  • Identify solutions per architecture level
  • Obtain management approval to move forward
• Implement
  • Assign roles and responsibilities
  • Develop and implement security policies, procedures, standards, baselines and guidelines
  • Identify sensitive data at rest and in transit
  • Implement programs
    • Asset identification and management
    • Risk management
    • Vulnerability management
    • Compliance
    • Identity management and access control
    • Change control
    • Software development life cycle
    • Business continuity planning
    • Awareness and training
    • Physical security
    • Incident response
  • Implement solutions per program
  • Develop auditing and monitoring solutions per program
  • Establish goals and metrics per program
• Operate and Maintain
  • Follow procedures to ensure that all baselines are met in each implemented program
  • Carry out internal and external audits
  • Carry out tasks outlined per program
  • Manage service level agreements per program
• Monitor and evaluate
  • Review logs, audit results, collected metric values and SLAs per program
  • Assess goal accomplishments per program
  • Carry out quarterly meetings with steering committee
  • Develop improvement steps and integrate into the plan and organize phase

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

This article originally appeared on SearchSecurity.com.

Tags: SAP security administration,  What's going on: SAP security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SAP security administration SAP TechEd 2009 Phoenix: SearchSAP.com Special Report How to stop SAP users from displaying SAP HR tables content Locating user email addresses in SAP SU01 transaction code How to map multiple SAP roles and profiles Viewing SAP transaction codes and profiles Managing SAP user access and password expirations Can SAP developer include authority check for S_TCODE in a called transaction? Cisco and SAP integrate technologies to create data privacy application SAP administration information for a Basis interview Transferring R/3 Admin skills to SAP NetWeaver What's going on: SAP security Privacy and your offshore operations IT perplexed by password-protection challenges

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary