Show
This policy describes how to establish effective security planning, embed security into risk management practices and use security planning risk management to help make decisions. OverviewTo successfully manage security risks and protect people, information and assets, an entity must understand:
Security risksA security risk is something that could cause harm to people or that exposes information or assets to compromise, loss, unavailability or damage. Shared security risks are risks that extend across:
Stakeholders must cooperate to effectively understand and manage shared risks. Entities must identify a risk steward (or manager) who is responsible for each security risk or category of security risk. This includes shared risks. Under their Chief Security Officer's direction, entities must apply a risk-based approach to implementing the PSPF that considers their size, operations and risk environment. A risk-based approach means that if an entity cannot implement a particular PSPF requirement, they can use an alternative mitigation strategy that achieves the same level of protection or better. Security planningSecurity planning considers how security risk management practices are designed, implemented, monitored, reviewed and continually improved. Entities must develop a security plan that sets out how they will manage their security risks and how security aligns with their priorities and objectives. The plan must include scalable control measures to respond to increases or decreases in risk when a threat to the entity changes. Return to the Security governance page
Information Security Management deals with the implementation and monitoring of a predefined security level for the IT environment. In particular, it addresses areas such confidentiality, integrity and availability. Risk analysis, as the starting point, helps to define the customer requirements on a security level. An internal, minimal security requirement is named IT basic protection. Additional security requirements of the customer are to be defined on an individual basis. ObjectivesTo introduce and maintain a required level of security, as defined by law, contracts or other agreements. Information Security Management contributes to an integrated Service Management approach by achieving the following activities:
Roles & FunctionsSecurity Management specific rolesStatic Process RolesSecurity Process OwnerInitiator of the process, accountable for defining the process strategic goals and allocating all required process resources. See Continual Process Improvement Management for a detailed description of these activities. Security Process Manager (Security Manager)IT Security Management Process is controlled by the Security Manager. The Security Manager can delegate tasks to specialized staff. Should it be necessary to use external staff, an approval of the budget by the responsible person is required. IT Security Management TeamTeam in Security Management perform mandatory tasks for the Security Manager. Dynamic Process RolesSecurity AuditorSecurity Auditor is providing the verification of security policies, processes and tools. Auditor should be altering an external and internal resource to provide independent and reliable audit. Service Specific RolesRoles depending on the affected service are found in the Service Description. The Service Description, including the service specific roles, is delivered from the Service Portfolio Management.
Customer Specific RolesRoles depending on the affected customer(s) are found in the Service Level Agreement. The Service Level Agreement for the customer specific roles is maintained by theService Level Agreement Management. Customer(s) Customers of the affected service with a valid SLAInformation artifactsSecurity PolicyThe process depends on general security rules. Moreover, this process is responsible for the permanent improvement and adjustment of general security policies and rules. Security Design Record
Security Transition Record
Security Verification record
Key ConceptsAvailabilityInformation and the service must be accessible to authorised users. IntegrityInformation must not be modified by unauthorized users. Following levels of integrity are possible:
ConfidentialityInformation must not be accessible by unauthorized users. Following levels of confidentiality are possible:
The Confidentiality Levels can be expanded or adjusted. AuthenticationVerification of identity of a user or information. AuthorizationMethods and tools used to decide if user or information is allowed to have access other devices or sources of information. Severity Breach LevelsSeverity levels here indicate the importance of an optimization proposal or security incident. The following levels can be defined as: Critical The level „critical“ needs to be implemented, including changes, as soon as possible. High The level „high“ needs to be implemented, including changes, within next 2 days. Low The level „low“ needs to be implemented, including changes, within next 7 days.ProcessCritical Success FactorsCritical Success Factors (CSF) define a limited amount of factors which influence the success of a process. For Security Management, the following factors can be defined as CSF:
Security Manager must review the CSFs and must define and implement measures to fulfill the process success. Security PolicyHigh Level Process Flow ChartThis chart illustrates the Security Policy Creation and Control Performance Indicators (KPI)
Process TriggerEvent Trigger
Time Trigger
Process Specific Rules
Process ActivitiesSecurity Policy DefinitionSecurity Policy Definition is dealing with definition of
Basic Security rules define the Security vision, organization and are business strategy aligned. Main orientation rule is the balance between high security standard for internal IT services, services provided and external supplied services and required services and good commercial “value for money” proposition. Activity Specific Rules
Security Policy ControllingSecurity Policy Implementation and Monitoring is responsible for the implementation, communication, monitoring and update of security rules and policies. Activity Specific Rules
Security Design AssistanceSub process Design in Security Management is responsible for the initial planing or planning of optimizations of the security process. If a change proposal on security process is classified the change needs to be planned as well. This is performed by an expert out of the responsible expert group in coordination with a member of the IT security staff. This sub process is triggered by Service Design. After the activity is finished, the status needs to be changed to planned. The Process owner is the Security Manager. The Process agent is an expert assigned by „Security Staff“. High Level Process Flow ChartThis chart illustrates the Security Management Design process and its activities Performance Indicators (KPI)
Process TriggerEvent Trigger
Time Trigger
Process Specific Rules
Process ActivitiesDesign of Security Part in Service Design PackageWithin this activity, the security section of the service design package is designed. This includes information on accessibility, security actions and measures, relevant passwords and policies etc. Activity Specific Rules
Approval of Security Design PackageWith this activity, the Security Manager approves the Security Design Package.
Activity Specific Rules
Security Transition AssistanceThis activity, in cooperation with Change Management, supports the implementation and testing of security improvements by designing, testing, implementing and then testing the implementation again. These actions are headed by Change Management. If a security improvement proposal is authorized and approved by Change Management, all action’s functional descriptions and implementation procedures, which are described in the improvement proposal need to be detailed, tested and approved in cooperation with the Change Management. Afterwords the implementation should be assisted to provide help in case emergency or implementation issues. A final PIR, conducted together with Change Management also includes testing. High Level Process Flow ChartThis chart illustrates the Security Transition Assistance process and its activities Performance Indicators (KPI)
Process TriggerEvent Trigger
Time Trigger
Process Specific Rules
Process ActivitiesCreation Risk Analysis and Feasibility StudyIf a Security Transition Assistance is requested by Change Management the following 2 documents need to be defined:
Following aspects need to be addressed within a Feasibility Study:
A Feasibility Study is based on high level planning and should not address detailed planning because of the possibility that the proposed change will not be accepted. Detailed planning of the Change is part of the activity „Build – Implement – Test – Assistance “ after the Change has been authorized. A Feasibility Study is provided by an expert or specialist of the address service. Eventually additional requirements provided by other processes, such as Financial, Availability or Capacity Management will also need to be reviewed. After the responsible expert finishes their contribution to the planning of the security actions, the status needs to be set on planned design package Activity Specific Rules
Build – Test – Implement – AssistanceIf a security change is approved for implementation, Change Management will request assistance from Security Management, who in turn may request assistence from the sub-process Build, Test, Implement and Assistance. This activity provides the following information:
Within the change plan the order and time line of actions need to be described. Testing documentation must address the test design and ensure the effectiveness of the test. The Test has to be executed before the live Change takes place and is split up into two main test areas:
Implementation activities are fulfilled and lead by Change Management. Security Management only assists and supports with regards to the security aspects and functions. Activity Specific Rules
Evaluation and Closure AssistanceIn coordination with the Post Implementation Review of the Change, Security Managment helps to test the implementation from the security point of view. In cases of a failed tests, the Change Management has to decide if the fallback plan has to be executed or the implementation can be accepted despite any issues in testing. Activity Specific Rules
Security VerificationThis activity is performed by the Security Manager. The target of the activity is to verify, if implemented, that security optimization fulfills the planned results – Verification uses the „Four-Eye Principle“. If actions do not provide the results planned, the status can be set to re-designed. Planning activity needs to be started again. If it is decided that a security improvement action is not approved, then the status should be set to cancelled. If the Security Management approved that decision, the status is being set to OK. In the perspective of Security Management, these actions are approved and can be implemented once the Change Management has authorized the actions. High Level Process Flow ChartThis chart illustrates the Security Management Verification process and its activities Performance Indicators (KPI)
Process TriggerEvent Trigger
Time Trigger
Process Specific RulesProcess ActivitiesPlanning of Verification ActivitiesThis activity plans the audit activities. Issues to be addressed by the planning:
This depends on the number of security incidents and the severity of security incidents per service as well as the importance of a service.
What is the extend of the audit: full audit or just the check of few indicators? Audit to be fulfilled by checks, real life tests or just an questionnaire?
This depends on the number of security incidents and the severity of security incidents per service as well as the importance of a service and how exposed a service is to external and internal threads.
Auditors need to be alternated often to assure that the auditor is independent, not influenced by options or customer relationship and by the will to keep the auditing contract. Result of this activity is a audit plan, that need to be communicated. Activity Specific Rules
Performing Verification ActivitiesBased on an audit plan, the audit is performed by the Security Verification Auditor Activity Specific Rules
Review of Verification ResultsResults of the audit need to be checked. If Security incidents occur these need to be classified in severity breach levels and handled by the Process Manager. In case of minor changes the Change Management is addressed, in case of major changes, the process is started with a redesign of new design of e Security Package. Activity Specific Rules
|