Enterprise Wide Security Framework
Organizations have always depended on policies to convey high-level management mandates. Once released, these papers have top-down impact on every department, business unit, and individual employee inside the organization. Additionally, these rules were usually created to reflect the present environment at a point in the organization’s history. Maintaining growth and adapting policies to reflect organizational change is one of the biggest problems an organization has in this area. Information systems is where organizations develop and evolve the quickest. Organizations are compelled to preserve old rules in their present technological settings due to the rapid advancement and push toward new technology. Second, security and the preservation of informational assets are now top priorities with the introduction of new technological solutions like extranets and intranets.
An enterprise-wide information systems security policy that is continuously implemented despite changing business requirements is the first step. Regrettably, the majority of businesses simply have sporadic security measures implemented across the board. These may increase the sense of security in some areas or among certain people, but they don’t really safeguard the business as a whole.
PricewaterhouseCoopers created the Enterprise Security Architecture System (ESAS), a Security Knowledge Management system, in response to these demands. The goal is to help a company provide a vital piece of infrastructure security. ESAS is mostly based on the PPT approach (People, Policy, & Technology). Throughout that time, PwC also proceeded to map ESAS using the COBIT methodology from ISACA and the ISO 17799 requirements.
PPT Approach
People, Policy, & Technology is what PPT stands for. These three components are combined to form the security process. Every component is dependent on every other component in some way. Additionally, when the components are joined, difficulties are covered more thoroughly. When all three of these components function together, the controlling environment is significantly improved. To explain this, a simple sketch would do (see Figure 1). Both the coverage regions and the essential components are shown in this drawing.
The controls environment grows and there is more coverage as you approach the merger of these pieces. Let’s examine each of these three components separately.
People are the most crucial component of the whole. The individuals and their diverse tasks and duties within the company make up the people element. These are the individuals assigned to carry out and assist with the procedure. Senior management, auditors, end users, system and IT administrators, security administrators, and system administrators are a few important jobs.
Security Vision Statement, Security Policy and Standards, and Control Documentation are all included in this aspect. This serves as the written security environment’s equivalent of the bible, providing direction and advice for the security process.
Technology The apparatuses, procedures, and systems put in place to assist the process are included in this part. These are the fundamental technology that the company uses, including its operating systems, databases, apps, and security tools. The operational, enforcement, and monitoring tools that will make the process easier are then provided by technology.
The idea is to quantify the coverage and efficacy of each fundamental component. Moreover, concerns may be evaluated against the model to ascertain the factors governing coverage for that particular issue. The next step is to shift the problem into the places where the components overlap, with the ultimate goal being to shift the problem into the center of the area with the most coverage. Every measure taken to manage a risk when it arises will fit into one of the three main categories of people, policy, or technology. If one of the factors has fixed the problem, fixing the other element may improve the result. The problem is then tackled on several fronts when the essential components are integrated into the controlling environment and used together. There is more control coverage.
The Model PPT
A few simple examples may be used to demonstrate the PPT Model. The PPT Model for Internet use and misuse is shown in Figure 2. Users get instruction on how to use the Internet safely. The user is the only factor in the controlling environment. A document outlining appropriate Internet use guidelines and the repercussions of improper use is called an Internet usage policy. Two of the three essential components now support the controls environment.
On the firewall is installed filtering software. All three parts now cover the controls environment. Figure 3 shows the situation when just two of the three pieces address a given problem. It also illustrates the effects of a setting with little controls.
A firewall is set up to secure the Internet connection. Coverage of core components = 1.
The person in charge of the firewall gets specific training and acquires the abilities required to manage the firewall. Coverage of core components = 2.
The organization’s firewall administrator departs. These days, the controls depend only on technology.
How may one use the concept to find a different way to solve Figure 3?
In Figure 4, this is shown.
A firewall is set up to secure the Internet connection. Coverage of core components = 1.
The person in charge of the firewall gets specific training and acquires the abilities required to manage the firewall. Coverage of core components = 2.
Written firewall operational standards and documented controls are used. Coverage of the core components = 3.
The organization’s firewall administrator departs. Two of the essential components support the controls environment. To ensure that expertise and knowledge stay inside the company, the rules, standards, and technology are recorded. Coverage of core components = 2.
These illustrations make it clear how the PPT model may streamline a risk issue’s examination. Action items may be identified for each of the three primary aspects of the problem if it is divided into those segments. Control coverage may be propagated in this way from one element to two, and finally to coverage by every element.
Although the PPT model seems like a really cozy idea, CIOs used to get disoriented by the framework when it was actually implemented. The ESAS tool makes this easier.
Technology and business are meant to work together, and the ESAS repository ESAS is a Security Knowledge Management platform that helps with that. It gives businesses access to a consolidated database of technical control information and security regulations. ESAS provides the essential framework for an efficient information security program and enables a business to communicate security policies and controls across the enterprise.
The following are the main goals of the ESAS:
- Assure that organizational security goals are the same across all operational units.
- Permit corporate objectives and strategy to dictate information security
- Permit a company to handle the risks connected with change and cope with changes in business activities and technology.
- Provide the company a thorough set of security guidelines.
Provide techniques for adopting a risk-based perspective on information and technical systems. Provide ways to accomplish security goals in an efficient and effective manner at the technical level.
ESAS is based on a special security model/framework (described below) that offers information management flexibility.
Comprehending the Security Framework The information security framework developed by PricewaterhouseCoopers offers a general framework for creating extensive security initiatives. The framework provides an example of a corporate security strategy.
- Important components, also known as the “Four Pillars” of information security, consist of:
- strong commitment from senior management
- A comprehensive security vision and plan
- A thorough education and awareness campaign
- a strong information security management framework with defined roles and essential skill sets
There are many stages included in the program’s four “pillars.”
The first stage is known as the Decision Driver Phase, and it comprises elements that establish the business drivers of security. These consist of risks, vulnerabilities, business initiatives, processes, and technology strategy and use. All of them come together to create the organization’s distinct “Security Profile.” Technical controls and security policies must take the “profile” into account.
The design of the security environment, sometimes referred to as the Design Phase, is the next component in the Information Security Framework. At this point, the company records its security policy, manages the environment, and handles technology-level restrictions. The enterprise’s “security model” is as important to this process as the precise articulation of technical control information and security policy. This component includes information classifications and risk assessment techniques. These procedures enable the company to recognize information assets’ risks and worth and to manage risk effectively.
The Implementation phase is the last component of the Information Security Framework. The Administrative and End-User policies and procedures must first be documented. These rules need to be clear and adaptable to the ever-changing circumstances. Processes for enforcement, monitoring, and recovery are subsequently added to provide the security program with operational support. “Where the rubber hits the road” refers to these procedures. If the Security Program is not implemented on a daily basis, then all of its advantages are negated in design and documentation.