Audit and Assurance

Expand all | Collapse all

Security Strategy

  • 1.  Security Strategy

    Posted 11 Jun, 2019 00:02
    Hi,

    Performing this network security audit for the organisation i work for and note that there is no Security Strategy. There is an Information Security Policy though.

    I am now having this argument on who's responsibility would it be to document the Security Strategy; would it be IT or Information Security? Information Security's argument is that they have documented the Policy and the strategy to ensure compliance to policy should come from IT, but IT is saying otherwise.

    Thanks in advance for your feedback.

    Regards,

    ------------------------------
    Jeffery
    ------------------------------


  • 2.  RE: Security Strategy

    Online Forum Topic Leader
    Posted 11 Jun, 2019 03:12
    @Jeffery Pepson,

    This is a difficult question to answer without fully understand how your enterprise is organized, however, what I would say it that COBIT "splits" security into APO13 Manage Security (Define, operate and monitor a system for information security management) and DSS05 Manage Security Services (Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.) ​​  RACI charts have been defined for the Key Management Practices for both.  These should be consulted before reaching any final decisions.

    Have members any other thoughts on this one?

    Best Regards,

    Ian

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 3.  RE: Security Strategy

    Posted 11 Jun, 2019 23:58
    Hi Ian,

    Thank you for the feedback. I have gone through the two RACI charts. ​The CISO is ultimately accountable for security within the organisation so I guess the drive will have to come from him/her in terms of establishing the baseline of how security should be implemented through a Strategy. Both the CIO/IT Head and IS Manger are responsible for ensuring the Strategy is implemented through their various responsibilities.


    Regards,

    ------------------------------
    Jeffery
    ------------------------------



  • 4.  RE: Security Strategy

    Online Forum Topic Leader
    Posted 12 Jun, 2019 04:09
    @Jeffery Pepson,

    Good that you have seen the RACI charts - I could not attach them as they are protected ISACA content.

    I agree with what you have interpreted "in theory" but please be aware that a lot depends on how your enterprise is organized, who the CISO reports to etc.  There is probably no "one size fits all".

    Best Regards,

    Ian  ​​

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 5.  RE: Security Strategy

    Posted 12 Jun, 2019 04:17
    Thanks Ian,


    Regards,

    ------------------------------
    Jeffery
    ------------------------------



  • 6.  RE: Security Strategy

    Posted 12 Jun, 2019 04:46

    I wish this could be done over a beer with the heads of IT and IT Security. What I have seen in my career, most of the time IT and IT Security heads are under CIO and it is always IT Security teams responsibility to drive IT compliance. COBIT should be one of the good source to engage both the teams. What I sense from your note, IT team is looking towards IT Security for help in running security and compliance. So a little proactive approach from both side can fulfill the requirement. (Believe me, been there and done that, its time taking process but eventually worked for me.)



    ------------------------------
    JD
    ------------------------------



  • 7.  RE: Security Strategy

    Posted 12 Jun, 2019 17:48
    Thanks JD, appreciated.


    Regards,

    ------------------------------
    Jeffery
    ------------------------------



  • 8.  RE: Security Strategy

    Posted 20 Aug, 2019 04:15
    Hi Jeffery,

    In my previous organization, i worked on security maturity assessment which is logically related with security strategy of the organization. So,  CISO is the key person from  and other "C" level of the organization, who might be involved.

    Regards
    Shridhar

    ------------------------------
    Shridhar Kuppannagari
    Lead Consultant
    ------------------------------



  • 9.  RE: Security Strategy

    Posted 21 Aug, 2019 10:26
    @Jeffery Pepson - In my experience, when this "battle" is occurring, it is good to recommend an IT Security Steering Committee that is responsible for security governance.   The  CISO, CIO, and even some other csuite personnel are usually on the committee.  Because security impacts the entire organization, non security and IT people should be involved (not always the case, but helps)​​.

    ------------------------------
    Troy Fine
    Manager
    Schneider Downs
    ------------------------------