Once the core set of processes has been defined, the specific processes are then prioritized and documented and the security process catalog is created. The formalization and creation of such a set of processes improves process maturity, which in turn can improve the effectiveness and efficiency of the overall set of information security tasks.
Where to start? For those venturing down this for the first time, the following methodologies provide initial sets of processes that can be used to start your own security process catalog:
- ISO/IEC 27001 ISMS (Information security management system)
- ISACA COBIT (Control Objectives for Information and Related Technology)
- ITIL security management
Based on the above, many firms will create processes at a high-level starting around:
- Firewall management
- user provisioning
- patch management
- access control
- password management
- incident response
- malware protection
- software development
- incident response
- disaster recovery/business continuity planning
Process planning and framework
Creating a process framework doesn't mean simply writing a set of processes and then just dumping them on the corporate Intranet.
Process formalization is the starting point for security process and program maturity. With that, consider the following advice from Gartner about a process framework:
- Develop a security process portfolio that represents the desired state process environment
- Ensure you allocate time and resources for security process formalization.
- Selectively prioritize processes from this portfolio for assessment and formalization
- Formalize these processes via ownership allocation, assessment of existing processes, procedures and activities, formal definition, and resource allocation.
- Treat security process management as a dedicated management discipline, tasking process owners with the responsibility for improving overall security process performance.
Even with the best set of processes, complacency and human error can obviate all of its benefits. But even with those challenges, the benefits of good processes are compelling.
Ultimately creating a security process catalog is about efficiencies. The worst thing you can do is make process formalization becoming the end-goal, rather than have it being the means to your effective information security program.
Sign up for CIO Asia eNewsletters.