Security level management

Security level management (SLM) comprises a quality assurance system for information system security.

The aim of SLM is to display the information technology (IT) security status transparently across an organization at any time, and to make IT security a measurable quantity. Transparency and measurability are the prerequisites for improving IT security through continuous monitoring.

SLM is oriented towards the phases of the Deming Cycle/Plan-Do-Check-Act (PDCA) Cycle: within the scope of SLM, abstract security policies or compliance guidelines at a company are transposed into operative, measureable specifications for the IT security infrastructure. The operative aims form the security level to be reached. The security level is checked permanently against the current status of the security software used (malware scanner, update/patch management, vulnerability scanner, etc.). Deviations can be recognised at an early stage and adjustments made to the security software.

In corporate contexts, SLM typically falls under the range of duties of the chief security officer (CSO), the chief information officer (CIO), or the chief information security officer (CISO), who report directly to an executive board on IT security and data availability.

Classification

[edit]

SLM is related to the disciplines of security information management (SIM) and security event management (SEM) (as well as their combined practice, security information and event management (SIEM)), which Gartner defines as follows: […] SIM provides reporting and analysis of data primarily from host systems and applications, and secondarily from security devices — to support security policy compliance management, internal threat management and regulatory compliance initiatives. SIM supports the monitoring and incident management activities of the IT security organization […]. SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. […] [1]

SIM and SEM relate to the infrastructure for realising superordinate security aims, but are not descriptive of a strategic management system with aims, measures, revisions and actions to be derived from this. SLM unites the requisite steps for realising a measurable, functioning IT security structure in a management control cycle.

SLM can be categorised under the strategic panoply of IT governance, which, via suitable organisation structures and processes, ensures that IT supports corporate strategy and objectives. SLM allows CSOs, CIOs and CISOs to prove that SLM is contributing towards protecting electronic data relevant to processes adequately, and therefore makes a contribution in part to IT governance.

Procedure

[edit]

Defining the Security Level (Plan): Each company specifies security policies. It defines aims in relation to the integrity, confidentiality, availability and authority of classified data. In order to be able to verify compliance with these specifications, concrete objectives for the security software used in the company must be derived from the abstract security policies. A security level consists of a collection of measurable limiting and threshold values.

Limits and thresholds must be defined separately for different system classes of the network, for example, because the local IT infrastructure and other framework conditions must be taken into account. Overarching security policies therefore result in different operational objectives, such as: The security-relevant software updates should be installed on all workstations in our network no later than 30 days after their release. On certain server and host systems after 60 days at the latest.

The IT control manual Control Objectives for Information and Related Technologies (COBIT) provides companies with instructions on transposing subordinate, abstract aims into measurable objectives in a few steps.

Collecting and Analysing Data (Do):Information on the current status of the systems in a network can be obtained from the log data and the status reports of the management consoles of the security software used. Monitoring solutions that analyse the security software of different vendors can simplify and accelerate data collection.

Checking the Security Level (Check): SLM provides continual comparison of the defined security level with the actual values collected. Automated real-time comparison supplies companies with a continuous monitoring of the security situation of the entire company network.

Adjusting the Security Structure (Act): Efficient SLM allows trend analyses and long-term comparative assessments to be made. By continuously monitoring the security level, weak spots in the network can be identified at an early stage and proactive adjustments can be made to the security software to improve system protection.

Standards

[edit]

Besides defining the specifications for engineering, introducing, operating, monitoring, maintaining and improving a documented information security management system, ISO/IEC 27001 also defines the specifications for implementing suitable security mechanisms.

ITIL, a collection of best practices for IT control processes, goes far beyond IT security. In relation, it supplies criteria for how Security Officers can conceive IT security as an independent, qualitatively measurable service and integrate it into the universe of business-process-oriented IT processes. ITIL also works from the top down with policies, processes, procedures and job-related instructions, and assumes that both superordinate, but also operative aims need to be planned, implemented, controlled, evaluated and adjusted.

See also

[edit]

References

[edit]
  1. ^ Gartner Research, Magic Quadrant for Security Information and Event Management, ID Number G00139431, 12 May 2006.
[edit]
  • COBIT

Summary and material from the ISACA

  • ISO/IEC 27000

International Organization for Standardization

  • ITIL

Summary and material from AXELOS