Developing information security processes
Developing Information Security Processes in Brief
Data security is an integral part of the various phases related to maintenance and development – from preparing procurement decisions to production maintenance or outsourcing. By developing information security processes it is possible to integrate information security into a company’s normal operating culture. An effective data security process is essential for cost-effective data security, and also in order to identify vulnerabilities before they cause damage. It is essential that data security works in a way that the management understands. Thus, part of process development is to build effective reporting for the different parts the organization. The data security process must take a stand on, for example, the principles governing the management of corporate architecture, data communications, technology, outsourcing, administration rights and access control as well as log management. The goal is to create day-to-day operational models that produce a data secure operating environment.
IT and IT processes may be well – or poorly – defined in the organization. It is also possible that the IT processes are not considered necessary to draw out or define at all, for one reason or another. If IT processes exist, they must be linked to data security. Measuring, key risk indicators (KRI) and requirement levels operate best in data security when data security observations can be utilized directly to improve not only data security but also the operations and operating models related to IT. In order to link the process to each other, a specific framework has to be chosen, and all involved parties need to understand their role.
It is important that the processes take both people and the technology into account, By building natural checkpoints into the processes, they can be linked, and at the same time a security culture is created.
What Mint Security Delivers
The security experts at Mint Security have developed many different kinds of data security processes for different operating environments. For example, we have developed operating models for adopting external auditing as part of existing testing processes, improving developers’ data security skills in an agile operating environment (SecOps), ensuring data secure operations by other internal and external operators, introducing hardening guidelines and automation of data security control, as well as raising the awareness of what the national and EU-level requirements mean in the practical operations of the organization.
For us, it is essential that the data security processes also include the development of data security guidelines and good practices within the IT organization and the application development teams. This work is done together with the IT organization. Also, it is important to use a RISK-IT (ISACA) framework.
Customer Needs and Challenges to Be Solved
The development of an organization’s security processes always starts with an analysis of the current state together with the customer and using the customer’s documentation. After that a development plan is drawn, and it is implemented with focuses chosen by the customer.
If you do not know what you want or you do not know what you are capable of – or you do not have an idea of what level you should aim at – a thorough analysis will be required. The best way to approach cyber capability is to create an assessment of the present situation and the target state using the CMM maturity model. Many frameworks, such as RISK-IT or Cobit for Risk, provide tools that you need to know how to utilize.
Once the maturity and the needs are known – and have been mapped out in sufficient detail – we can start thinking about budgeting. Not the other way around. What do you get for your money, where do you get the best value and how should data security be implemented? You can buy a solution only to mount it to a rack, or you can start using it for real.
More Details about Our Methods and Tools
We strive to produce documents and instructions and processes from our standard toolbox. We always customize these for the company’s specific needs.
See examples below:
- Security policies, for example in accordance with the ISO27002 framework, applied either in full or according to the company’s specific needs.
- Customer-specific and accurate data security instructions (privilege management, email usage, premise security …)
- ISMS described and documented (data security management system)
- Risk management models as well as processes for maintenance and handling
- Incident management processes
- Data security processes for application development
- Audit processes