The three-pillar approach to cyber security: processes are crucial
Cyber threats change quickly, and processes need to adapt with them.
But processes are nothing if people don’t follow them correctly.
The second pillar is processes
Processes are key to the implementation of an effective cyber security strategy. They are crucial in defining how an organization’s activities, roles and documentation are used to mitigate information risks. Processes also need to be continually reviewed.
This is the second article in a series on the three-pillar approach to cyber security. The first article, “The three-pillar approach to cyber security starts with people”, can be found here
The second of the three pillars is process. The process pillar is made up of multiple parts: management systems, governance, policies and procedures and managing third parties. All of these parts must be addressed for the process pillar to be effective.
Management systems are key to the second pillar
To strengthen the second pillar in your cyber security strategy, a proper management system must be put in place. Everyone in your organization should understand their duties and responsibilities when it comes to cyber security. For a large and diverse organization, the level of competence and interest in cyber security will vary greatly between employees, but a good management system can increase the security awareness and increase the resilience of your organization. Without a clear management system in place, issues and data will fall through the cracks, making your entire company vulnerable to cyber security problems, up to and including a data breach.
Enterprise security governance activities
Governance is a company's strategy for reducing the risk of unauthorized access to information technology systems and data. Enterprise security governance activities involve the development, institutionalization, assessment and improvement of an organization's enterprise risk management (ERM) and security policies. Governance of enterprise security includes determining how various business units, personnel, executives and staff should work together to protect an organization's digital assets, ensure data loss prevention and protect the organization's public reputation.
Enterprise security governance activities should be consistent with the organization's compliance requirements, culture and management policies. The development and sustainment of enterprise security governance often involve conducting threat, vulnerability and risk analyses tests that are specific to the company's industry.
Enterprise security governance is a company's strategy for reducing the chance that physical assets owned by the company can be stolen or damaged. In this context, governance of enterprise security includes physical barriers, locks, fencing and fire response systems as well as lighting, intrusion detection systems, alarms and cameras.
Link between vision and daily operations
A ‘policy’ is a predetermined course of action, which is established to provide a guide toward accepted business strategies and objectives. In other words, it is a direct link between an organization’s ‘vision’ and their day-to-day operations. Policies identify the key activities and provide a general strategy to decision-makers on how to handle issues as they arise. This is accomplished by providing the reader with limits and a choice of alternatives that can be used to guide their decision-making process as they attempt to overcome problems. Policies can be thought of as a globe, where national boundaries, oceans, mountain ranges and other major features are easily identified.
The goal of every procedure is to provide the reader with a clear and easily understood plan of action required to carry out or implement a policy. A well-written procedure will also help eliminate common misunderstandings by identifying job responsibilities and establishing boundaries for the job-holders. Good procedures allow managers to control events in advance and prevent the organization (and employees) from making costly mistakes. You can think of a procedure as a road map where the trip details are highlighted to prevent a person from getting lost or ‘wandering’ off an acceptable path identified by the company’s management team.
Managing third parties
Third party management is better known as vendor management. It is a discipline that enables organizations to control costs, drive service excellence and mitigate risks to gain increased value from their vendors throughout the deal life cycle.
When selecting a vendor to work with, you must be sure they meet the same levels of cyber security as required by your company. Many companies have had data breaches that started by a vendor being hacked, allowing the attackers to gain access to their system. One example is Target, a major US retailer. Their massive data breach happened because their heating, ventilation and air-conditioning (HVAC) contractor was hacked first. The hackers leveraged the HVAC supplier’s access to Target’s network and were able to get access to their final goal, the point of sale machines. This attack illustrates the importance of managing supply chain risk.
The final pillar to cyber security is data and information. This will be covered in the third and final article in this series.