The truth is...it is really up to you. Does ___ matter? Only if you believe in it.
A presentation by Dr. Luke O'Connor brings an interesting concept to the table (full presentation here). IT Security is essential only where it is needed and applicable to business processes. The problem all information security professionals face is defining what is necessary to protect information assets based on business needs.
A majority of the time, it is based on compliance with federal mandates. However, does the application or system truly need that level of enhanced security? This is a common mistake. Does upper management know what they need? Are they aware of what they don't need? In most cases, I would say upper management rely heavily on the infosec staff. Resources are often wasted with infosec staff focusing on items that are not prioritized appropriately. What is deemed to be critical is not always the case...
IT Security is another line item that most managers cut back on. Concepts are not that difficult, but the level of effort can be substantial. Documentation bogs down security processes such as Certification and Accreditation (C&A). The end goal - to secure business processes to support the mission. Implementation of security controls is more important than 100% comprehensive documentation.
How do we resolve these issues? Define what is mission critical and develop objectives to meet specific goals. Budget for what has to be done to ensure business processes are adequately secured. "Focus on securing business processes, not the process of securing"
I'm not saying documentation should not be developed. It just isn;t as high of a priority as proper implementation itself. Look for FISMA 2.0 to shape things up in the Federal Sector.
Subscribe to:
Post Comments (Atom)
Posts
1 comments: