- Network and Systems Security: The Foundation. Have a clear understanding of how the organizationís infrastructure is architected. For example, what is the technology deployed for prevention, detection, and management around the infrastructure systems and the network.
- Application Security: Both Internal and External. In order to maintain an optimal security posture, management should assess both internal applications, as well as those procured by third-parties. A solid understanding of the risks associated with each application will help eliminate potential risk before applications are deployed.
- Data Security: Protecting Critical Assets. Data is considered the most important asset of an organization. Management needs a plan for protecting and recovering data throughout the lifecycle. Data should be kept safe from corruption and also suitably controlled.
- Secure Operations: People Drive Process. Managing and protecting assets includes a method to distribute products and services, and a process created to drive change among people. In many organizations, operations are the weakest link, yet it is also the first and last line of defense.
- Business Continuity: Ensuring Uptime. Understanding an organizationís availability requirements is fundamental to establishing priorities. There should be a clear plan to keep the business up and running, despite any potential threats or outages.
- Security Strategy: Aligning with Business. Security strategy should always be aligned with an organizationís business strategy. To do so, security professionals should ask the following questions: What do I want to protect? How do I want to protect my assets? Finally, what are the metrics to evaluate for success?
- Security Organization: Sharing Risk. Along with security strategy, a security organization should also be aligned with the business goals and objectives. Security professionals should also be able to illustrate how their programs and initiatives will drive the business goals and objectives.
There are several scenarios in which a security blueprint can be particularly helpful in balancing an organizationís overall IT risk and security management program. One is when an organization needs to evaluate the current state of their existing program capabilities and define their desired state of program maturity. Applying a blueprint approach against the aforementioned seven core program pillars provides a portfolio model for aligning the value of security with business objectives and associated risk tolerance. For example, when a CIO, CSO, or executive, needs to identify, evaluate and address gaps in their security and IT risk program. The result of this blueprint assessment enables the executive to prioritize their initiatives around program elements which bring the greatest business, security and IT risk management value.
Another security blueprint use case might be during a merger or acquisition. During an acquisition, an organization will examine their maturity level with regard to security and risk. They might plan to use some integration dollars to bolster the acquired companyís security posture to bring it in-line with their desired level. A security blueprint will identify the areas that need the most improvement. It will also give them the insight into what the acquisition companyís strengths are. This way, they can also leverage these strengths and apply them across the board.
Similarly, for a large organization with a number of subsidiaries, the security blueprint process will examine each different business unit, along with the parent company, to determine the strengths of each subsidiary. Rather than the parent company investing and bolstering each area to one level, they can borrow and implement programs from its subsidiaries. This allows executives to take what exists and leverage it across the board, rather than investing in designing a program.
A security blueprint gives an organization a good understanding of the breadth of information security capabilities that should exist within the organization. It also allows the executive team to visualize and measure an overall information security program, greatly simplifying the overall equation in managing security.
By following seven simple steps that address the strategic view, the operational view, and the technology view, executives, security practitioners and business stakeholders can evaluate overall capabilities and align their security program portfolio with the risk expectations of their business.