Is Information Security a baby of only Security Manager?

Problem Statement:Often we see situations when we execute a project that security budget is limited and so is the security team. Many a times, for a substantial duration of project security team remains a single man army. Common understanding prevails that anything and everything that is related to security be it a part of application, network, servers, end point hosts, physical access and even business continuity, can be handled easily by security personnel deployed in the project. Here most of project management, probably due to resource limitation or due to lack of awareness fails to understand, how a single personnel can deliver with expertise on enterprise wide implementation. Why the word Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼ÔòØ├ö├Â┬ú├ö├▓├ªenterprise wideÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë is used because, how small a project is, if it requires end to end security across all aspects of project, it warrants maximum controls of security, if not the every control as may be required when one wants to secure an enterprise.If we talk in terms of ISO27001, which is a widely expected security management standard, security comprises of managing security organization, documentation, security requirements, security risk management, security operations, security log management and other areas of security as listed earlier in this article. How a single or even a team of couple of security personnel may assumed as expert in these all areas.Consequences:Low quality in overall project security. And this is indeed a dangerous situation. Security personnel starts spending time in activities he is forced to be involved which are comprising of domains other than information security. Examples of other domain or expectations from security personnel may include expecting security personnel to have knowledge of OS and network commands, code development technologies, SRS/ FRS collection, management of technologies like firewalls, IPS, AV.  He/ She starts delivering security in casual manner, as the pure security activities like managing ISMS, ensuring security compliances, security log monitoring, providing security solution takes a back seat, as rather than managing security for overall project.Solution:Senior management should show commitment towards information security, not only by merely allocating one or two human resource in the project, but also by making entire middle management understand that information security is everyoneÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s job. An individual or a manager for a particular work area, is in better position to understand what is critical to oneÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s business and what is required to be secured. Security personnel based on his knowledge of security standard and the best practices available across the world may facilitate on Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£├½whatÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣ part of the security control, but the respective team is responsible for Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£├½howÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣ part of same security control being the domain expert in the area of concern. Security personnel may help define a security risk assessment methodology, it is the ground team or its management who based on that methodology may perceive risks, if any.One must understand that security is not a plug in on to the existing work area however it is mostly about tweaking some existing parameters in secure fashion or reframing the existing process in a secure manner. Thus a person who is responsible for overall process is in better position to induce the security process within the same.This analogy is also supported by ISO 27001 standard, which supports involvement of management in overall project security. This standard as part of new revision not only focus and emphasizes more on management commitment and leadership (section 5.1) , but now also has a security control dedicated to it (A .6.1.5)

Rate this article: 
Average: 1 (1 vote)