Multi-dimensional security involves protecting the information assets and associated resources within all areas of an enterprise and in compliance with all regulatory, policy, and contractual requirements. It places protection at not only the perimeter, as has historically been the norm, but also wherever information is stored, processed, or transmitted. Multi-dimensional security involves more than just technology solutions; it also utilizes operational, administrative, and human forms of protection to help reduce the risks to information wherever information can be found.
At a high-level, a multi-dimensional security program includes the use of:
Using multi-dimensional security reduces the risk of a security breach, secures data flows throughout the transmission path, reduces the impact and cost of compliance audits, protects against insider attacks, and demonstrates due diligence.
There is no magic bullet solution that, in and of itself, will secure all enterprise information assets and systems in compliance with all contractual and legal requirements. Multiple protection strategies must be used to most effectively reduce and manage the risks that exist within today's highly decentralized and widely connected systems.
As a starting point, the strategies can be visualized as a combination of protecting connection points and processing and storage locations as well as educating the people who utilize them. Figure 3.1 represents these multi-dimensional topics and examples of the underlying components.
Figure 3.1: Illustration of multi-dimensional topics.
All these components are then working and handling information within the requirements outlined within policies, procedures, and standards, regulatory and legal requirements, education, and under the watch of audit and validation, as Figure 3.2 represents.
Figure 3.2: Multi-dimensional strategies within an organization's security requirements.
Each business unit must deal with these clouds of information security considerations. The typical organization will have many business unit information security clouds addressing these issues. Highly diverse multinational organizations will literally have information security considerations clouds covering significant areas of the earth, similar to the situation illustrated in Figure 3.3.
Figure 3.3: Worldwide processing locations and data flows.
The information components and issues within even the most seemingly simple organization can in actuality be quite complex. In a large organization, it can become almost overwhelming to information security practitioners to secure all these components and address all these issues. It is critical with so many components and issues to consider that organizations simplify the complexity as much as possible to be able to implement a successful information security program and subsequently help avoid dealing with information security incident storms that could result from all these volatile security considerations clouds crashing into each other. The first step in preventing your worldwide information security environment from experiencing destructive information security storms is to perform a risk analysis and assessment.
It used to be that when businesses considered risks, they basically addressed the insurance coverage portfolio for the organization. Information security risk was not something at the top of business leaders' minds, or even in their thoughts, when the topic of risk management was mentioned.
As technology advanced, and as businesses became more decentralized and global, astute, forward-thinking business leaders realized that information was a cornerstone of successful business. As such, these leaders realized the need for appropriate protection to help reduce the risks to the confidentiality, integrity, and availability of the information.
Information security risk management evolved from the United States National Institute of Standards and Technology (NIST) Guidelines for Automatic Data Processing Physical Security and Risk Management (FIPSPUBs 31) and Guideline for Automatic Data Processing Risk Analysis (FIPSPUBs 65) in the mid-1970s. Because of the dramatic changes in the way information has been handled and processed since the introduction of what were then revolutionary documents, these FIPs were withdrawn in 2005 and 1995, respectively.
Since the introduction of risk analysis and assessment, there have been a wide range of methodologies and technologies developed for an even wider range of purposes. Some of the approaches are qualitative in nature, using metrics based upon information assets, threats, vulnerabilities, and safeguards and controls. Other methods are quantitative in nature, taking into consideration the monetary value of information assets, threat frequencies, threat exposure factors, and safeguard and control costs.
First let us consider what is meant by the terms risk assessment and risk analysis. There has been much debate about these definitions over the years. NIST defines risk assessment and risk analysis within their Special Publication 800-30 as follows:
Note that NIST considers the terms to be one and the same in meaning. However, the International Organization for Standardization (ISO) defines these terms within ISO/IEC Guide 73:2002 as follows:
Indeed there is room for interpretation. The goal of this guide is certainly not to argue for one term over another or to delineate the differences. For the purposes of this discussion, both terms will be used whenever discussing these types of risk management activities.
Most quantitative approaches are labor intensive and require the assessment/analysis facilitator to be a subject matter expert to most accurately determine the values of the risks. Unfortunately, a recurring weakness of risk assessments/analyses is that they usually fail to effectively communicate the discovered risks to business leaders, information owners, and decision-makers. Additionally, the accuracy of risk assessments/analyses is often in question, providing little value for business leaders and their decision-making process.
Automated tools can significantly reduce the labor and, to an extent, the inaccuracy of the monetary guesses associated with each risk. However, many businesses, frustrated with the cost and/or hard-to-use tools, have created their own in-house risk assessment/analysis methodologies and procedures. This process typically results in unstructured, uncoordinated methods for performing a risk assessment/analysis, and usually does not provide adequate consideration of all risks at all levels of the organization.
NIST defines risk in Special Publication 800-75 in the following two ways:
Reducing information security risks is a necessity in today's business environment. Any type of internal or external threat, risk, or vulnerability can quickly impact a well-running organization in many ways, such as losing a competitive advantage, losing customers, missing deadlines or orders, bad publicity, regulatory noncompliance resulting in fines and penalties, or costly civil suit judgments. Performing a risk assessment demonstrates your company is demonstrating due diligence for the decision-making processes throughout your organization.
A well-constructed risk analysis provides the documentation you need to prove that due diligence is performed.
To perform a risk analysis and assessment that will be useful to your organization, you must first define the risks. There are many professional and industry associations and government agencies that have published risk management and analysis guidance. Groups that have published risk management and analysis guidance include:
Define risks for your organization and within each of the business unit areas. What does legal consider as information risk? What do your privacy and compliance areas consider as information risk? What do your auditors consider as information security risk? What do information security leaders consider as risk? To be successful with a risk analysis and assessment, you need to first define organization-wide risks that exist within your environment and come to a consensus. The subsequent results of the risk analysis and assessment will then be more readily accepted as being applicable for your environment. When your coworkers participate in making security decisions, they feel ownership for the resulting actions that are implemented and are more likely to make a conscious effort for compliance.
The United States Office of Management and Budget (OMB) has identified 19 areas of information security risk, which are highlighted in the following list:
Major problems exist with the language and use of risk analysis and risk assessment primarily because such activities did not evolve from academia or from a well-structured professional oversight body. Instead, information security practitioners have been forced to create their own risk analysis and assessment methodologies to meet their environments' needs. A significant number of information security professionals have performed what they label as risk assessments and skewed the results to meet their own agendas (for example, obtaining more budget or obtaining justification to remove systems they personally do not want to support). Such misuse of the risk assessment process has negatively impacted the perception of the usefulness of such risk review activities.
The language of results of the risk assessment/analysis is also typically vague or highly subjective. Such vagueness and subjectivity does not typically fit well within a business environment that is used to viewing risks in terms of dollars and cents. Unfortunately, most business leaders ask information security practitioners to quantify risks to determine budgets for information security expenditures. This requirement puts information security practitioners in the very difficult situation of losing the confidence of their management when they do not get the numbers exactly right.
Lacking a well-established taxonomy and terminology, even well-meaning, smart security practitioners discuss risk management in ways that can be misinterpreted or lead to poor business decisions. This misinterpretation results in confusion, frustration, and mistrust not only within an organization but also among the security professionals themselves. Inconsistent and misleading use of language results in inconsistent, misleading, and incorrect results of a risk assessment activity.
Risk assessment and risk analysis are not the only misused terms in this area. Threats and vulnerabilities are often used interchangeably within risk assessment/analysis reports and by information security professionals, leading to confusion on the part of the readers, which are typically business organization leaders.
Most insightful risk and security leaders realize that security risks cannot be accurately and specifically calculated. The reason is that there is no body of complete and valid information covering information security upon which you can base calculations (unlike predicting financial investment risks based upon actuarial tables and significantly large and well-established bodies of incident information). However, performing risk assessment/analysis is still necessary for businesses to be able to adequately understand information risks and to determine which controls and tools to use to prevent the risks based upon how many times similar incidents have occurred elsewhere. The most realistic way to do so is through the use of qualitative risk analysis, based upon regulatory requirements and the potential impact from non-compliance fines and penalties. The assessment/analysis should then communicate what the financial impact experiences for each risk have been in other companies.
Organizations must meet the conditions of the various legal and regulatory requirements for performing a risk analysis and assessment. Smart organizational leaders will maximize the process of performing a risk assessment/analysis so that the requirements of as many applicable laws and regulations are met as possible to eliminate the need to do multiple assessments and end up duplicating work and effort.
Business leaders must recognize two givens:
Because of these differences, each information system and process will have unique security requirements that are determined by the associated risk environments.
The risk environment determines the possibility of harm and loss, and the inputs, outputs, level of activity, and associated costs determine the magnitude of harm and loss resulting from the exploitation of the risks.
An effective risk assessment/analysis will document information about risk exposures. This risk information will be used to make the most optimal risk mitigation decisions to result in the best overall performance. An effective risk assessment/analysis will allow the business to invest enough, but not more than what is necessary, to appropriately address information security risks.
It is bad business and bad information security management to spend $10,000 to mitigate $1000 of potential losses. Information security expenditures should not cost more than the value of the systems, assets, and processes being protected.
An effective risk assessment/analysis will produce a measure of risk so that risks can be consistently and reliably compared with one another, and the risk mitigation costs can be correlated to the risks they are addressing.
A common mistake businesses make is assessing a risk as "high," "unacceptable," or some other qualitative term, then not providing the quantitative information (such as estimated lost time, money, customers, fines, and so on) necessary to support a decision to implement risk mitigation measures. Risk mitigation measures should always have quantitative implementation costs provided to make the assessment/analysis useful.
Security requirements are identified using a methodical assessment/analysis of security risks. Expenditures for risk mitigation controls must be balanced against the business harm estimated to result from security incidents and failures. The results of the risk assessment/analysis will help to guide and determine the appropriate management action and priorities for managing information security risks and for implementing the controls selected to protect against these risks.
Risk assessment/analysis should be repeated periodically to address changes that might influence the risk assessment results.
Information security policies, procedures, and standards are all important considerations organizations must formally document and implement to have an effective information security program. Each type of document serves a different purpose.
An information security policy establishes the framework within which the business rules and regulations for handling information and reducing risk are described. Effective policies are created to help bring the organization into compliance with applicable laws and regulations as well as to address how to secure the business information processing environments within the organization. Management should set a clear policy direction in line with business objectives and visibly demonstrate support for, and commitment to, information security.
Information security policies are mandatory; they should not be written in a way that implies they are merely suggestions.
Information security procedures describe how to implement the policies. Procedures document the step-by-step detailed actions necessary to successfully complete a task that supports the policies. Procedures provide personnel with the information necessary to complete a task and provide assurance to management that the tasks are being completed in a consistent approved manner. Procedures improve efficiencies in employee workflow and assist in the prevention of misuse and fraud.
For example, a policy may require all information that leaves the organization to be encrypted. The corresponding procedure would define the tools and methods for encrypting the information, such as requiring the use of a virtual private network (VPN), along with details about each step to take to implement the software and hardware necessary to use the VPN in a way that is acceptable to the organization.
An information security standard is a detailed specification for hardware, software, and human actions to support the information security policies. Standards can detail the requirements for a wide range of issues, from the software to hardware that must be used to the remote access protocols that must be implemented to describing who is responsible for making information security approvals. Standards provide a documented way of ensuring that programs and systems will work together. By establishing standards, the enterprise limits the possibility of rogue applications systems, platforms, hardware, or software. There is less time spent in supporting non-standard activities or products. In short, standards define cost-savings processes that support the efficient running of the enterprise.
For example, a technical information security standard to support the policy requiring only corporate approved solutions be used to connect to the Internet might include a detailed description of how the transmission control protocol/internet protocol (TCP/IP) must be implemented, managed and used. A standard details the specific technical choices for implementing particular policies. For example, a policy may require strong identification and authentication be used when accessing information classified as confidential. The supporting standard might specify the specific brand and model of a microprocessor-equipped smart card to be used to enforce the access control restriction. Generally, those who are responsible for implementing policies use standards. Most standards do not need to be communicated to all personnel—only those responsible for the implementation of the policies. Standards also typically must be modified more regularly than policies in response to changing technologies and systems.
Many United States and international laws and regulations require organizations to document and implement policies, procedures, and standards. Additionally, business leaders must demonstrate that a standard of care exists within the enterprise. The implementation of these information security documents provides a demonstration of exercising due care.
Some of the laws and regulations that require organizations to document and implement information security policies, procedures, and/or standards include the following:
Additionally, the United States Federal Sentencing Guidelines for Organizations takes into consideration the policies implemented and clearly supported by executive management when they determine judgments for fines and penalties.
An information security policy documents executive management's direction on, and commitment to, information security. To be effective, you must communicate the security policy to everyone within your enterprise that handles your information or uses your systems.
Executive management must communicate their direction on and commitment to information security within a high-level information security policy that applies to all parts of the enterprise.
An effective information security policy will
An information security policy should be reviewed periodically and revised as necessary to reflect changes within the organization as well as technology changes.
The 2005 State of Information Security Study from CIO and CSO magazines includes results from interviewing 8100 IT security professionals from 62 countries. The survey results reveal that 8 percent of the companies have no documented security policy. The policy topics that occurred most frequently, as demonstrated by the accompanying percentages, within companies who had them included:
Twenty-four percent of companies had neither measured nor reviewed the effectiveness of their security policies and procedures.
These statistics reveal some of the challenges of creating and implementing policies, procedures, and standards:
In practice, information security seems to interfere with everyone's business. Network administrators work hard to make the networks as user-friendly and easy to use as possible, but then when security is applied—because of the mindset of the typical end-user—the security as implemented is very user-unfriendly and slows down users when they are trying to get their work done. Security policies challenge information and systems users to change the way they think about their responsibilities for protecting corporate information.
When you attempt to implement security policies on an unwilling audience, you will be met with resistance not only because the security is viewed as making jobs harder and more tedious but also because the typical worker does not like to be told what to do…especially by an information security expert, who they do not see as having any authority over them or as having a place in their chain of command.
A big challenge worth tackling is to present information security to everyone within the organization in a way that enables them to recognize that they, personally and professionally, are responsible for information security. To be successful, information security officers must involve all personnel from throughout the enterprise in developing information security policies. Personnel must justifiably believe that they own their security procedures that support the policies. Personnel with real involvement in policy development will become partners to advance information security instead of being opponents of security.
Supplying your personnel with the security information they need and ensuring they understand and follow the requirements is an important component to your organization's business success. If your personnel do not know or understand how to maintain confidentiality of your information or how to secure it appropriately, you risk not only having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons but also being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another of your valuable assets—corporate reputation.
There are an increasing number of laws and regulations that require some form of training and awareness activities to occur within the organizations over which they have jurisdiction. Issues under the United States Federal Sentencing Guidelines that impact the severity of the judgments include consideration of the types of training and awareness organizations provide to their personnel. The following list is not exhaustive but provides some of the laws and regulations requiring training and awareness:
Respect for customer security and privacy is one of the most important issues facing your company today. To gain and keep customer trust, your company must exercise good judgment in the collection, use, and protection of personal information. Not only do you need to provide training and awareness about this requirement to your personnel, but you also need to communicate to your customers (with whom you have a business relationship) and consumers (with whom you would like to have a business relationship, and who may have provided some information to you) what you are doing to preserve their privacy and ensure the security of their information through various awareness messages.
All workers (employee and contract) or companies who directly handle or impact the handling of your company information should take your security training before handling your company information, with refresher training every year, or more often based upon your business and the potential impact to your business if information is not handled correctly. You should provide training and awareness to ensure all your company activities comply with the company privacy policy as well as laws and regulations.
Organizations need to educate personnel about their information security roles and responsibilities—especially in support of published policies, standards, and procedures. Awareness and training should be constructed to support compliance with security and privacy policies. Executive management act as role models for personnel; their actions heavily influence the level of employee awareness and policy compliance. Senior management should clearly and noticeably support, encourage, and show commitment to information security and privacy training and awareness activities.
In general, due diligence means providing demonstrated assurance that management is exercising adequate protection of corporate assets, such as information and compliance with legal and contractual obligations. This requirement is a powerful motivator to implement a training and awareness program. Key provisions of the United States Federal Sentencing Guidelines and 2004 amendments include establishing an effective compliance program and exercising due diligence in the prevention and detection of criminal conduct. Any organization with some type of compliance requirements and/or plans (basically all public entities given the Sarbanes-Oxley Act of 2002) is directly impacted by the guidelines. One way such due diligence is demonstrated is through an effective, executive-supported information security education program.
It is no longer good enough simply to write and publish information security and privacy policies and procedures. Organizational leaders must now have a good understanding of the policies and the program, support the program, and provide oversight of the program as reasonable for the organization. This new requirement reflects a significant shift in the responsibilities of compliance and ethics programs from positions such as the compliance officer and/or committee to the highest levels of management. The guidelines require that executive leaders support and participate in implementing the program. To do so, an effective ongoing information privacy, security, and compliance education program must be in place.
Reputation is another critical organizational business success asset. Without a good reputation, customers leave, sales drop, and revenue shrivels. Reputation must be managed well. A component of managing good reputation is ensuring personnel and business partners follow the right information security actions to lessen the risk of something bad happening to information; such incidents will likely lead to very unseemly news reports and media attention.
There are many issues that impact corporate reputation that can be addressed through effective ongoing information security training and awareness activities:
Most personnel understand that if they are being measured for certain activities, they need to be accountable for those activities because those measures can impact their career with the company in some way. If an organization reports information security compliance and connects it with personnel performance, personnel understand more clearly their accountability and are even more likely to comply.
Accountability has more impact on a company, and corporate personnel, than ever before. There are a growing number of legal actions being filed by victims of inadequate information security and privacy practices against organizations that were not necessarily the perpetrators of an incident but whose systems and poor practices contributed to allowing the incident to occur. Such shifts in accountability start moving the enforcement of policy from management to individuals. Such shifts are also being supported by new regulations and government moves, such as requiring federal agencies to increase personnel accountability for breaches and requiring security to become standard in all network and computing products.
Implementing the use of signed information security awareness acknowledgements not only establishes personal accountability but also increases awareness and accountability for information security and privacy. Such signed acknowledgments document your organization's efforts and due care to ensure all personnel are given the information they need to perform their job responsibilities in a manner that protects information and network resources. Signed acknowledgments should be considered a facilitator for your awareness and training efforts. Signed acknowledgements could also provide valuable support for any sanctions you need to administer for policy noncompliance.
Your organization should expect all employees, officers, contractors, and business partners to comply with privacy, security, and acceptable use policies and protect your organization's information and systems assets.
Security audits and compliance validation reviews provide an in-depth examination of an organization's security infrastructure, policies, people, and procedures. When performed effectively and successfully, they will identify areas of weakness within the infrastructure. The auditor or reviewer can then provide recommendations for appropriate actions to address the weaknesses and reduce the accompanying risks.
Audits are important to ensure that corporate security policies are being followed and enforced. How can you ensure your access control policies are effective unless an audit is performed to review them?
Audits need to be performed to provide individuals who are responsible for particular IT environments, as well as executive management, with an independent assessment of the security condition of those environments and to validate that necessary controls are indeed in place and functioning as they should. The information security status of the enterprise environments should be subjected to thorough, independent, and regular security audits and control validation reviews.
Security audits and compliance validation reviews must include consideration of the business risks associated with the particular environment (the security clouds described earlier) under review and should be performed for critical business applications, information processing environments, communications networks, system development activities, and manual administrative and operational tasks.
Security audits and compliance validation reviews should be:
Recommendations for improvement resulting from the audits should be discussed and agreed upon with the individuals responsible for the environment under review and should be implemented and reported to executive management.
Information systems, processes, and practices security should be regularly reviewed. Perform the reviews against the appropriate security policies and the technical platforms and information systems for compliance with applicable security implementation standards, documented security controls, and regulatory and contractual compliance.
Audit requirements and activities involving checks on operational systems must be carefully planned and communicated to the audited area's management to minimize the risk of disruptions to business processes. You want information security to be viewed as a business enabler not as an obstacle to achieving business goals. To help enable the success of an audit, keep the following guidelines in mind:
Senior management should establish a plan to perform regular and independent audits to evaluate the effectiveness, efficiency, and economy of security and control procedures in addition to management's ability to control information security function activities. Senior management should determine priorities with regard to obtaining independent audits within this plan. Auditors should plan the information security audit work to address the audit objectives and to comply with applicable professional auditing standards.
Organizations must integrate their information security goals within business strategies to reach their overall enterprise objectives, get the most value out of their information, and capitalize on the technologies available to them. As computerized applications are penetrating nearly all business functions and processes, organizations are mixing hardware platforms from different vendors with a combination of commercially available software and in-house developed software. Issues such as IT governance, international information infrastructure, e-commerce, security, privacy, and control of public and enterprise information have driven the need for selfreview and self-assurance. These issues combined make the audit and validation process much more challenging and complex than in the past when information processing was generally limited to a large mainframe computer.
As a result of this increasing complexity, business risk increases. Audits and reviews are needed to evaluate the adequacy of information security to address the adequacy of all the information security and controls used by all the people, places, and processing systems. Recent situations such as those at Enron, WorldCom, and others have clearly shown the need for audit and independence.
The Sarbanes–Oxley Act of 2002 is one example of a regulation providing the needed support for organizations to address their organizational policies and controls and use the capabilities of their internal audit and information security teams.
In the years preceding the Sarbanes-Oxley Act, limited liability partnerships formed following the result of a Big Five audit organization that was taken to court by a client. The client selected a support system based on the firm's recommendation. However, the support system failed to perform in the manner recommended and caused the company financial loss. The courts held the Big Five firm liable for failing to exercise "due professional care" in the conduct of their work performed. The Big Five company sought the protection of a limited liability partnership with its audited client.
With the fall of Arthur Andersen LLP during the Enron scandal, there is now a Big Four. Arthur Andersen LLP was the first major international accounting firm taken to court and successfully convicted for a lack of due professional care in the destruction of client documents and obstructing justice. After a month-and-a-half trial and 10 days of deliberations, jurors convicted Andersen for obstructing justice when it destroyed Enron Corp. documents while on notice of a federal investigation. Andersen and their lawyers had claimed that the documents were destroyed as part of its housekeeping duties and not as a ruse to keep Enron documents away from the regulators.
The Sarbanes-Oxley Act regulation is not the only law that serves to compel organizations to perform regular information security audits and compliance reviews. A few of the others include HIPAA, GLBA, 21 CFR Part 11, the Bank Protection Act, the Computer Security Act, the Computer Fraud and Abuse Act (CFAA), the Privacy Act, FOIA, and the Federal Information Security Management Act (FISMA).
The beginning of this chapter discussed the many different components and multiple dimensions of addressing information security. Many organizations find themselves trying to fight fires and tackle all the related information security issues without first taking the time to create a thoughtful information security strategy. The strategy needs to simplify the complexity resulting from such highly diverse, dispersed, and dimensional environments.
Organizations must simplify the complexity of information security management by taking the large number of technology, human, and compliance issues and making them understandable to the business. At the same time, organizations must implement solutions to integrate these issues throughout all business processes so that information security is built-in to all products and services from the beginning of a business idea right through until the resulting service or product is no longer offered.
These complexities can be simplified using a common framework of information security disciplines and by getting the support of the information security efforts by the leaders throughout the organization rather than focusing on each individual issue at a time. The first step in simplifying information security complexity is by appointing an enterprise-wide information security officer to oversee and coordinate information security activities and decisions for the entire enterprise. This oversight will not only be the first step in simplifying complexity but also lead to consistency in addressing information security issues throughout the enterprise.
Information security practitioners have been struggling with how to simplify the complexity of information security management for years. To many of them, it seems as though for every step forward they take with progress, they take two steps back because of how swiftly technology changes, how swiftly new connections are made to their networks, and how swiftly more and more employees and business partners are mobilizing their business information processing. Most also focus on just one business unit issue at a time, resulting in the information security function hop scotching back and forth between different services and products, and not coordinating efforts or maximizing the benefits of rolling information security controls out to all enterprise areas at the same time. Information security leaders end up constantly fighting security fires as each business unit information security cloud lightning strikes.
To be effective, information security leaders must implement an information security strategy to simplify their efforts. To do so, consider each of the components within the multi-dimensional information security issues, divide your security responsibilities throughout the organization, and use automation to simplify and conquer your information security activities and challenges.
Too many times information security practitioners try to take on all the information security tasks themselves. This undertaking is not only unfeasible in most situations but also does not foster the need for all personnel to take responsibility for information security. When everyone is part of the development of information security, as a whole, organizations can then identify tools to address those activities that can be automated. There will be many areas where you can automate some of your information security activities throughout the enterprise (for example, through the use of centralized intrusion detection systems, access logs, antivirus solutions, and so on).
Dividing and distributing the information security responsibilities throughout the entire enterprise can accomplish simplification of complexity. One way to do so is by implementing the following:
Figure 3.5 provides an illustration of an example distribution of security responsibilities.
Figure 3.5: Example distribution of enterprise information security responsibilities.
Each role with information security responsibilities should use proven technology tools to automate as much as possible their responsibilities.
Even when dividing and distributing information security responsibilities throughout the enterprise, information security leaders will still face challenges to simplifying the accompanying complexity of information security management. Some of these challenges include:
For an effective information security program, a business must implement a multi-dimensional security program that includes the use of:
Establishing a thoughtful information security strategy based upon identified risks and managed by one enterprise role with responsibilities distributed throughout the enterprise help to simplify the complexity of addressing security and help to ensure an effective information security program. The next chapter will discuss the value of zoning to address these complex multidimensional information security issues and challenges.