Friday, September 21, 2007
Seven Habits of Highly Effective Security Plans [Part 3]
In this post we deal with habit 2: Begin with the End in Mind
Please first read the Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]
Please first read the Seven Habits of Highly Effective Security Plans [Part 3]
This is based on Stephen Covey's book The Seven Habits of Highly Effective People and this topic was the one I wanted to get to as fast as possible because I think that it is the most important one for Security Plan development.
If you have read the book this blog post is based on then you'll know that each habit builds on the ones before them. The last one was being proactive and making sure that you define your environment and how you will handle Information Security.
In the past Information Security was a matter of having whatever the box of the day was - firewall, anti-virus, IDS, etc etc. It was also having audits done and responding to their negative findings. And it was about hopefully detecting incidents and preventing the same incidents in the future. Reactive.
Now, what is happening and should be happening is that Information Security is becoming more proactive as per habit 1. We are looking rather at what we are protecting and trying to understand why it needs to be protected and how best to do so.
But once you realise that you have work to do, you need to know what to do. You need a plan - a long term plan. You probably already have one of those - a policy.
I know of a company (not the one I work for) that was told by their holding company to get Policy documents. And they got the boilerplates, filled in their company name and - voila- policy documents. But they missed the point.
The documents are not there for the auditors. ("Yeah, we got some policies." [Tick]). They are a living document of the Company's plan for Information Security. They are an excellent opportunity for the Company to define their end goal and work towards it.
It makes life a lot easier for everyone too when they know their goal and it makes deciding on what is important and what isn't very much easier.
A boilerplate is a good start if you haven't got any idea where to start. The risks to most companies are the same, the technology is similar too. Most of the techniques can be applied to all different organisations. But a lot of work needs to be done to the Policy to get it just right for the organisation.
Another good place to start is with the people who own the information. And these are not IT. These are the people who make decisions based on Information, they guys who would pack up and go home if there was no information for them to work with. they know what it is important to the business and where it is. I will write a lot more on this in later posts but for now just realise that Information Security must start with the end in mind and the end is "protect all important information so business can operate".