10.4 Create Protection Strategy

Information security affects the entire organization. It is ultimately a business problem whose solution involves more than the deployment of information technology. Solution strategies need to balance the organization's long- and short-term needs by incorporating both strategic and tactical (or operational) views of risk. An organization can take strategic actions focused on organizational improvement (by implementing a protection strategy) as well as operational actions focused on protecting their critical assets (by implementing risk mitigation plans). In this activity you develop a protection strategy for organizational improvement, addressing the strategic view of risk.

Protection Strategy

A protection strategy defines the initiatives that an organization uses to enable, initiate, implement, and maintain its internal security. It tends to incorporate long-term organizationwide activities.

A protection strategy leads to a series of steps that an organization can take to raise or maintain its existing level of security. Its objective is to provide a direction for future information security efforts rather than to find an immediate solution to every security vulnerability and concern [Dempsey 97]. Since a protection strategy provides organizational direction with respect to information security activities, we suggest structuring it around the catalog of practices. A protection strategy contains approaches in each of the following practice areas:

• Security awareness and training

• Security strategy

• Security management

• Security policies and regulations

• Collaborative security management

• Contingency planning/disaster recovery

• Physical security

• Information technology security

• Staff security

During this activity, you define strategic initiatives in each of the above areas, defining the direction for information security efforts in your organization. However, practical considerations will prevent you from immediately implementing all of the initiatives after the evaluation. Your organization will likely have limited funds and staff members available to implement the protection strategy. After the evaluation, you must prioritize the activities in the protection strategy and then focus on implementing the highest-priority activities.

Using Security Practice Information from Processes 1 to 3

In this activity you use the practice information that you collected during processes 1 to 3. Specifically, you should consider the survey results across all organizational levels and contextual security practice information (protection strategy practices and organizational vulnerabilities across all organizational levels).

You will likely find discrepancies in the survey results across the different organizational levels. You may also find that the survey results from an organizational level contradict the contextual information from the same level. Your task is to make sense of the information. You should have been present for all of the workshops to allow you to hear a variety of perspectives on what is happening in the organization. Now you have to sort through everything that you have recorded and heard during the previous workshops.

The survey results may give indications about the organization's current security practices. You will be able to identify some security practices that a strong majority of respondents from an organizational level believe are currently used by the organization. You will also identify some security practices that a strong majority of respondents from an organizational level believe are not used by the organization. For the majority of the practices, there will be no strong indication in either direction.

Be careful when you use the survey results. Remember, this is not designed to be a scientific activity; your sample groups from each organizational level were not selected from a statistical perspective. Do not try to extrapolate too much from the results. Look for instances in which the vast majority of respondents from an organizational level responded in the same way. You should also look for inconsistencies across organizational levels. For example, perhaps the senior managers responded that the organization had a complete set of security policies, while the staff members indicated that the organization does not have security policies. Obviously, there is a discrepancy here, and it is up to you to interpret the information.

We believe that you will find the contextual information about current security practices and organizational vulnerabilities more useful to you than the survey results as you develop your organization's protection strategy. You will most likely find that participants have identified many instances of what is currently working well in your organization and where there is room for improvement.

Step 1: Develop a Protection Strategy for Strategic Practice Areas

You develop the strategy in two parts. First, you identify approaches in each strategic security practice area that could improve or maintain your organization's security posture. Then you explore what is required to enable good practice in the operational practice areas. In this step we focus on the strategic practice areas.

As you create a protection strategy, you must consider the following:

• The current practices in this area that your organization should continue to use

• The current practices in this area that your organization needs to improve

• New practices that your organization should adopt

To conduct step 1, you need to answer the questions about each strategic practice area presented in Table 10-3.

Remember to review the survey and contextual security practice information as you answer the questions in Table 10-3. Also, remember to review the actions and recommendations that you recorded during process 6. You might find that these recommendations help you to identify security-related strategies for your organization. Record the approaches that you identify for each strategic practice area.

As you develop your organization's protection strategy, you should also think about any near-term actions that could help you develop or implement the protection strategy. Make sure that you record these action items, which you should use as input to the final activity of process 8A, in which you formally document action items.

Let's look at how the analysis team at MedSite created the protection strategy. Remember that the overall team developing the protection strategy includes the core analysis team members and a staff member from MedSite's Strategic Planning department. The team considered the key questions for each strategic practice area. As team members discussed the questions in each area, they often referred to the surveys and contextual security practice information. Based on the information collected, the team felt that it needed to create a strategy to improve security awareness and training at MedSite. Figure 10-4 shows the strategies that the team selected. The team also reviewed the actions and recommendations that it recorded during process 6, but none of those actions and recommendations was related to security awareness and training. The analysis team identified initiatives related to all strategic practice areas. You can find the complete protection strategy for MedSite in Appendix A.

Table 10-3. Key Questions for Strategic Practice Areas

Strategic Practice Area	Key Questions
Security awareness and training	What can you do to maintain or improve the level of information security training that all staff members receive (consider awareness training as well as technology-related training)? Does your organization have adequate in-house expertise for all supported technologies? What can you do to improve your staff's technology expertise? What can you do to ensure that all staff members understand their security roles and responsibilities?
Security strategy	Are security issues incorporated into your organization's business strategy? What can you do to improve the way in which security issues are integrated into your organization's business strategy? Are business issues incorporated into your organization's security strategy? What can you do to improve the way in which business issues are integrated into your organization's security strategy? What can you do to improve the way in which security strategies, goals, and objectives are documented and communicated to the organization?
Security management	Does management allocate sufficient funds and resources to information security activities? What level of funding for information security activities is appropriate for your organization? What can you do to ensure that security roles and responsibilities are defined for all staff in your organization? Do your organization's hiring and retention practices take information security issues into account (also applies to contractors and vendors)? What could you do to improve your organization's hiring and retention practices? What can you do to improve the way in which your organization manages its information security risk? What can you do to improve the way in which security-related information is communicated to your organization's management?
Security policies and regulations	What can you do to ensure that your organization has a comprehensive set of documented, current security policies? What can you do to improve the way in which your organization creates, updates, and communicates security policies? Does your organization have procedures to ensure compliance with laws and regulations affecting security? What can you do to improve how well your organization complies with laws and regulations affecting security? What can you do to ensure that your organization uniformly enforces its security policies?
Collaborative security management	Does your organization have policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners)? What can your organization do to improve the way in which it protects information when working with external organizations? What can your organization do to improve the way in which it verifies that external organizations are taking proper steps to protect critical information and systems? What can your organization do to improve the way in which it verifies that outsourced security services, mechanisms, and technologies meet its needs and requirements?
Contingency planning/disaster recovery	Does your organization have a defined business continuity plan? Has the business continuity plan been tested? What can you do to ensure that your organization has a defined and tested business continuity plan? Does your organization have a defined disaster recovery plan? Has the disaster recovery plan been tested? What can you do to ensure that your organization has a defined and tested disaster recovery plan? What can you do to ensure that staff members are aware of and understand your organization's business continuity and disaster recovery plans?

Step 2: Develop a Protection Strategy for Operational Practice Areas

Next, you develop the strategy for the operational security practice areas. Remember that in this step you are identifying strategies to enable operational practices in your organization. To conduct step 2, you need to answer the following key questions for each main operational practice area (physical security, information technology security, staff security):

• What training and education initiatives could help your organization maintain or improve its practices in each area?

• What funding level is appropriate to support your organization's needs in each area?

• Are your policies and procedures sufficient for your organization's needs in each area? How could they be improved?

• Who has responsibility for each area? Should anyone else be involved?

• What other departments in your organization should be involved in each area?

• What external experts could help you with each area? How will you communicate your requirements? How will you verify that your requirements are met?

For example, consider information technology practices. The information technology practice area contains practices for securely configuring and maintaining an organization's systems and networks. What strategies could enable your organization's information technology security practices? Perhaps your organization's information technology staff members need to receive training in secure system administration. Or perhaps you need to better define roles and responsibilities for information technology security. These are examples of strategies designed to enable information technology security practices.

Remember to review the survey and contextual security practice information as you answer the key questions for this activity. Also, remember to review the actions and recommendations that you recorded during process 6. Record each strategy that you identify for each operational practice area. Finally, remember to record any near-term actions that you identify as you develop the strategy.

At MedSite the team considered the key questions for each operational practice area. Team members referred to relevant survey and contextual practice information as needed. They also reviewed the recommendations from process 6. They determined that the following recommendation from process 6 has strategic implications with respect to how MedSite approaches security:

The analysis team and ABC Systems also came to the conclusion that vulnerability management isn't really being done well.... Vulnerability management must be investigated and the weaknesses in procedure corrected. A plan will be needed to increase the knowledge and skills of IT and to improve the formality of ABC Systems' procedures.

The team incorporated vulnerability management into the protection strategy along with other strategies that could improve MedSite's information technology security practices. Figure 10-5 illustrates the activities that the team recorded for the information technology security practice area. You can find the complete protection strategy for MedSite in Appendix A. After developing the protection strategy for MedSite, the analysis team was ready to develop risk mitigation plans.