A Systematic, Comprehensive Approach to Security
One of the central pillars of the security model we built in our knowledge base at Burton Group was called “A Systematic, Comprehensive Approach to Information Security.” I’ve always found this model helpful to use in any security analysis so as to make sure I’m covering all of the many important bases. You can get the same effect, I suppose, by working through the entire ISO 27000-series but the following diagram is a convenient shorthand.
Source: Gartner, Inc.
The diagram was originally developed for Burton Group and then Gartner. Credit’s also due to Fred Cohen, who once worked with us at Burton Group and was my co-author on the original systematic, comprehensive. In fact, you’ll notice a vaguely similar (but much more detailed) diagram at Fred’s site.
The systematic, comprehensive approach to security is an overall model for “business risk management” which sits front and center in the diagram. Risk is always where you start, but the diagram also identifies security-related business processes, provides guidance on security objectives, security posture and security architecture alternatives. It relates these models to the lifecycles and contexts of a business and its information, people, and systems.
In risk management, you have to think in triples – the threats, the vulnerabilities and the consequences that could occur if a threat successfully exploits a vulnerability. A useful way to come up with the worst case scenarios or other consequences on down, is to inventory the critical assets the organization has (physical, informational, financial, reputational, etc.) and ask what would happen if the organization fails to meet security objectives, i.e. confidentiality, integrity or availability?
Having identified many risk scenarios, an organization can group them, prioritize them and look to deal with each in one of four ways – accept, avoid, transfer or mitigate the risk. Outside of the realms of executive decision making (not to undertake a risky project or just accept the risk) and the legal or financial processes (transfer a risk through contracts, insurance or hedging) most IT related risks must be mitigated.
Then you get into an iterative process of viewing risks, security objectives and alternative procedural or technical mitigations through the lens of lifecycles and contexts for different assets including the protection resources themselves. At this point, good security architecture models become essential.
I’m unable to quote extensively from it, but as I mentioned earlier the “A Systematic, Comprehensive Approach to Information Security” document may still be in the Gartner archives. Perhaps on a future post, I’ll walk through the approach by example, as I sometimes do when considering a specific security problem or project. In the meantime it might really help you with your own security thinking to go through a similar exercise, perhaps after reading the Gartner document (or if you don’t have access, Fred’s site.)