Visible Ops Security, Phase 2

'Find Business Risks and Fix Fragile Artifacts'

Security Strategies Alert By M. E. Kabay, Network World
November 25, 2008 12:05 AM ET

The long view of security strategies for your network.

In the last two columns, I introduced the excellent booklet called Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps, by Gene Kim, Paul Love and George Spafford.

Today I’m reviewing their chapter entitled, “Phase 2: Find Business Risks and Fix Fragile Artifacts.”

The chapter begins with a summary explaining that with infinite risks and finite resources and time, we have to focus our attention on securing critical areas of the business. As with the Phase 1 chapter, this one also includes a succinct and sometimes amusing chart of common issues. Some of the highlights (or lowlights, depending on your perspective) that had me chuckling with recognition include the following (quoting):

• Information security often can’t focus its efforts on the top risk areas (We have hundreds of business applications that we need to secure and support… There is just no way that our information security team can stay on top of it all. We are spread way too thin. I figure that each one of us is covering hundreds of systems and thousands of controls.”
• Must repeat audit work year after year (We are repeating a lot of documentation and substantiation work for IT controls… Last year we spent thousands of hours on this. And we’re going to do it all over again this year. / Why? Because instead of building controls into daily IT operations, we substantiate the presence of controls after the fact.)
• Top-down risk-based processes never finish (There’s some hope that the new Enterprise Risk Management [ERM] task force will address some of these issues… The problem is that they’ve been at it for three years, and there are no indications that the consultants they’re using are ever going to leave. In fact, the only certain thing is their next invoice, and another one of their horrible half-day workshops.)

Related Content

The authors explain, “we extend the focus of Phase 2 beyond just operational risks, to those risks relevant to information security, compliance, and financial reporting. To make sure that we focus on what really matters, we go through an explicit scoping step for IT services and systems to ensure that we can explicitly link information security controls to risks that can affect the achievement of business objectives or requirements.”

Their methodology includes the following approaches, each step of which is fully explained in the text (in the unquoted sections, I am merely summarizing highlights):

• “Establish an initial scope of the business process and IT services and systems that really matter by using a top-down, risk-based approach.”
• “Cover the periphery” (identify “externally facing systems” whose compromise could cause catastrophic consequences)
• “Zoom out to rule out” (ensure that we are focusing on business issues, not noodling around interesting technical issues regardless of whether they matter in real-world consequences)
• “Find and fix IT control issues” (identify the business functions where controls are inadequate to reduce risk and mitigate damage from breaches of security)
• “Streamline IT controls for regulatory compliance” (build reusable controls that can save time and money for all sectors of the enterprise in meeting security standards)

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.