Our Security Assessment framework

Developing your organization's security assessment capabilities.

As discussed in our page on Security Governance goals and objectives it is important that your organization develops a security assessment framework suitable for use in prioritizing your organization's security efforts and investments and for evaluating the success of your security strategic context and security culture development. This assessment framework is separate from the security governance framework that you will need to assess the quality of your enterprise wide security governance itself. We will discuss a possible security governance assessment framework on a separate page (see our paper [Tan 2004] for now). As discussed on our goals and objectives page, you will also need to separate compliance assessment from security assessment.

The main security governance objectives of your organization's security assessment framework are related to the need to support the identification of what needs to be protected, what the current issues are that endanger your organization's security and their priority, as well as what the most cost-effective way is to achieve an adequate level of protection.

Developing an asset classification scheme

In this section we will start on the, in our view, most important aspect of your security assessment framework: Identifying not only your assets, but also whether confidentiality, integrity and/or availability is important for that asset in your organization. Making your top-level security management committee responsible for the identification of the critical assets of the organization is now accepted practice in security governance. Unfortunately, there is again no real definition in information security literature on what critical means, and how we decide which asset is more critical than another. More importantly if you only identify critical assets, there will be no guidance for other employees on how important security is for your non-critical assets.

If an asset is not identified, it very likely will not be protected either. Hence, it is important that before you decide on the criticality of you assets, you first put in place a process to identify all potential critical assets. The best way would be to start with identifying as many assets as possible, but that's almost impossible and you will have to limit the scope somehow. This is where a classification scheme can be very useful.

The most well-known classification scheme is the scheme used for data confidentiality. Unclassified, restricted, confidential, secret, top secret are terms well understood by most people. But similar classification schemes for availability and integrity are almost nonexistent and, more importantly, you will need to consider more business oriented classification schemes that combine these three aspects of security. A highly confidential data asset with low availability needs should probably not be endangered by keeping a copy on a laptop or home PC! And, how about restricting the use of email for these data assets? After you have considered and publicized this classification, identifying assets becomes a lot easier. Your employees will be happy to come up with many examples of data assets that they believe will need to be considered for this particular classification.

Developing situational awareness

To identify what the current issues are that endanger your organization's security, and what their priority is, you can no longer afford to have a purely outward focus. Yes, it is important that your security personnel knows what is happening in the outside world and, in particular, what threats and vulnerabilities are prevalent in your industry. More importantly, however, is that your security personnel is aware of what is happening in your organization. Otherwise, you will spend all your efforts in protecting your organization against well-know cyber threats, but neglect the much more damaging but often invisible incidents resulting from insecure work practices (user error) and a lack of fraud detection and prevention in your organization, which might include the potential leakage of highly commercial information to your competitors.

Most organizations currently have limited situational awareness of their own information security for reasons that we have discussed in our Security Management section, in particular on our Decision making models page. To develop situational awareness in your organization, you will need to change the current emphasis on the use of preventive controls. Consider the following question: What would you consider better security? Relying on a preventive control but not being aware that it has been bypassed, or using a detective control that indicates when you have a security incident so you can react to it. The correct answer is that preventive controls should never replace detective controls, but always be used together with detective controls: Proactive security does not work if you cannot detect or react. Achieving a balance between detection and prevention in your security strategies is also the first step necessary to achieve situation awareness.

Developing a selection framework for security controls and mechanisms

Having discussed the need to find a better balance between detective and preventive controls, to improve situational awareness, we now need to discuss an even more urgent need to improve knowledge about the cost-effectiveness of different kinds of security controls in your organization and the need to improve skills in the selection and implementation of controls.

Our approach to improve the cost-effectiveness of information security is based on introducing requirement engineering in organizational security. Considering requirements for organizational security has proved useful in our research, but a full requirement solicitation and analysis may not be cost-effective for every organization, or for every security project in an organization. Hence, the need to develop guidelines for the selection of security controls and mechanisms that can be used enterprise wide. These guidelines can include specific advice on how to use requirement engineering for information security or they can simply offer more direct advice on the cost-effectiveness of controls based on an initial organization-wide security requirement engineering exercise.