In order to ensure the confidentiality, integrity and availability of corporate information
systems, each organization must implement a comprehensive Information Systems
Security Program (ISSP). Determining the effectiveness of the ISSP requires
evaluating each module individually, as well as its relationship to other components.
Unilateral analysis, while often necessary due to time and resource constraints, results
in a fragmented snapshot of the defenses of the enterprise. Often the non-security
community does not fully comprehend the scope, breadth and impact of the ISSP which
can result in either a false comfort level or undue concern over the degree to which their
corporate resources are protected. To aid in the management of the plan, an annual
calendar of major activities, including due dates, dependencies and responsibilities
should be compiled, maintained and communicated to all parties with accountability for,
or participation in a component of the plan.
As the expertise, ingenuity and persistence of attackers increases (re: NIPC July 2002
article: “Swarming Attacks: Infrastructure Attacks for Destruction and Disruption”), it
becomes exponentially more important that the ISSP and its assessment utilize a
defense in depth approach. This can be accomplished via redundancy or drilled down
security. The program and its appraisal should include assurance that multiple layers of
protection are present and adequate. Executives must understand the risks associated
with operating in today’s environment and certify their acknowledgement and
acceptance of that environment. The results of the analysis of one component must be
considered and mitigated when completing other ISSP components. The CIO should be
briefed annually on the overall ISSP, understand the methodology used to develop it,
and certify that s/he accepts the risk under which it operates. The CIO then briefs the
President or CEO who accredits the ISSP.
· Systems Owners:
Often, IT personnel become possessive of systems and forget that their purpose is to
support business functions. Each application should have a designated System Owner
who serves as the primary liaison with the IT community for all IT-related activities
including security. The Security Awareness Training Program (SATP) should include a
module that briefs Systems Owners on their responsibilities in each of the five system
life cycle (SLC) phases. To ensure that System Owners are held accountable for these
duties; security-related performance elements should be included in each System
Owner’s annual performance evaluation. The ISSP should include periodic check-ins
with System Owners to verify that they are effectively functioning in their security role.
The ISSP should be modified from lessons learned from the periodic check-ins.


Leave Comment

Your email address will not be published. Required fields are marked *