Governance Issues: Checklist for Security Management

The purpose of security planning is to determine how to manage the various assets in enterprises to minimize security risks. To assure that the security plan minimizes the risks to the business, it is a good idea to adopt the following governance practices.

Governance Checklist (Detailed)

1. Plan Security Management

§         Establish a security management process.

§         Make a staff member responsible for the overall security of the system.    

§         Define internal (organization specific) as well as external (government, industry related) security requirements.

§         Develop model of the system that shows the important components and their interrelationships. The view should show the key components that are impacted by the security requirements.

§         Identify and evaluate risks associated with each valuable resource. This involves a study of vulnerabilities of individual system components, and identification of threats that could exploit the vulnerabilities. Vulnerabilities and threats can be discussed in terms of privacy, integrity, authentication, authorization, accountability, and availability (abbreviated PIA4).

§         Conduct configuration dependent risk analysis through techniques such as attack trees. For example, a database connected to a wireless network is more vulnerable to attacks than to an internal corporate network. An attack tree, also known as attack graph, is simply a logical decision tree used to perform a systematic analysis of different attack scenarios.

§         Prioritize risks in terms of the expected loss in case of attacks.



2. Define, in Detail,  the Security Management Approach 

§         Develop policies that mitigate risks by stipulating consequences and transferring risks through insurance.

§         Identify procedures and guidelines to enforce the policies.

§         Establish security audit and control procedures.

§         Clearly state organizational roles and responsibilities.

§         Institute security awareness and training programs.

§         Identify technologies that protect the assets through encryption, password protections, audit trails, etc. These technologies protect the important resources by strengthening the privacy, integrity, and other PIA4 aspects.

§         Employ other instruments such as intrusion detection systems (IDSs) and honeypots. IDSs are designed for continuous monitoring and detection of intruders. Honeypots are built especially to attract the intruders and keep them busy or frustrate them with nuisances.

§         Select mitigation strategies that are most cost effective.


4. Monitor the Security Management Processes

§         Use frequent audits to monitor compliance with policies

§         Use frequent audits monitor compliance with governance arrangements

§         Monitor effectiveness metrics of security management

§         For Advanced Users;  Use automated security  management tools to monitor the intrusions on the system.   

§         Deploy a solid Business Continuity Planning approach

3. Enable the Security Management Process

§         Deploy network management  mechanisms and polices  

§         Make someone in-charge of enterprise security.

§         Make the employees, managers, and customers of the security policies and procedures.

§         Deploy the security technologies identified above.

§         Deploy and operate audits and controls to reduce risk to the business.

§         Incorporate people, process, and technology in mitigation solution.

§         Measure the security risk management process for effectiveness and verify that controls are providing the expected degree of protection.

§         Develop risk scorecard to understand security breaches and progress.

§         Evaluate the risk management program for weaknesses and opportunities to improve

§         For advanced users: Use security management tools.




BUSINESS CONTINUITY PLANNING: Develop and deploy an overall business continuity and disaster recovery plan

·       Include the most critical resources (applications, platforms, and networks) in the plan. These resources should have been included in the management considerations for applications, platforms and networks. Verify and expand this list. 

·       Review and refine network disaster recovery plan generated previously (network management checklist)   

·       Analyze the threats and impacts of the natural as well as man-made disasters. Use different scenarios.

·       Identify a disaster recovery procedure and determine how does it differ from your current system, can it handle the workload and is it adequately documented for a disaster situation. 

·       Include people and processes in the plan. This should include phone numbers to call, desks and working space in case of disaster, living accommodations for specialists if needed, etc.

·       Test your disaster recovery plan at least twice a year and upgrade the recovery procedure accordingly. This must include the technologies, processes and people.  

·       Assure that security measures (policies, firewalls, anti-virus programs, etc) are not compromised in a disaster situation.

·       Keep full documentation of the plan and backups of the configuration files and critical resources at offsite locations.