Feb. 11, 2011
For many credit union leaders, the thought of developing an information security strategy brings up those words again (too technical ... overwhelming) and a question: “What for?” Before we get into answering these items, we should first understand what we mean by an information security strategy.
Read the whole “Information Security Simplified” series
Part 1, Setting goals and objectives for your program
Part 3, Combining organizational design/strategy, people, processes and technology
Part 4, Putting your program in writing
Part 5, Moving from where you are to where you want to be
Part 6, Training some staffers, educating others
Part 7, Measuring your program
According to Kenneth Andrews in The Concept of Corporate Strategy, 2nd Edition, corporate strategy can be defined as “the pattern of decisions that determines and reveals a company’s objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.”
Using this definition we see, whether you have a printed information security strategy document or not, you have an information security strategy in place at your credit union. The decisions, plans, and projects you have engaged in have created your strategy. It is important now to move from that informal ad hoc strategy to a formal organized strategy outlining what the credit union expects to achieve with its information security program and providing clear direction (a road map) on how it will do so. Having a formal strategy for information security is needed and important for all the reasons we could name for having a formal marketing, loan, share or ALM strategy, such as clear understanding, monitoring, and accountability.
Keeping things simple, you can divide your information security strategy into three areas. First is an understanding of the goals/objectives of your information security program. Second is an understanding of where you are currently. Third is your plan (roadmap) to move from where you are to where you want to be.
To help develop and “write out” your information security strategy goals/objectives, look back to the six objectives/outcomes in part 1 of this series. These items can define the broad general outcomes you are looking for. To further refine and develop the “desired state” for your strategy, you should select a framework/model/system to provide for and maintain a structured method for measuring your progress and success. Here are three commonly used frameworks. Each can be used to organize, define and provide a “measuring stick” for your program and information security initiatives.
Put together by ISACA and the IT Governance Institute, the COBIT framework (COBIT stands for “Control Objectives for Information and related Technology”) focuses on managing (controlling) how IT and related systems are used in an organization. While “IT” centric, COBIT includes examination of governance issues and our six ISACA objectives/outcomes from part 1. Additionally, COBIT contains metrics, allowing you to measure your progress.
ISO (aka the International Standards Organization) 2700x series standards (specifically, documents 27001 to 27008) are international standards for information security. Similar to COBIT, the ISO standards focus on the implementation of controls, and look beyond just “computer” security.
NIST (aka the National Institute of Standards and Technology) 800-53, Recommended Security Controls for Federal Information Systems and Organizations is one of the go-to guides used by federal government agencies in securing systems.
At first glance, these frameworks can seem a bit overwhelming. Just remember, not all items may apply to your credit union and their implementation is usually measured in years, not weeks or months. Additionally, many of the items can be broken down and worked on as a series of projects allowing you to take “small bites” to clean your plate.
While the above three frameworks/systems are not the only ones available, their widespread use means there are a number of helpful resources available free or for a nominal cost. Your CU can use these resources to examine, develop and implement an information security strategy.
Using one of the above frameworks can aid your credit union in putting together your information security strategy and help document your goals and objectives. To assist in measuring your progress toward these objectives, you may also want to consider using Capability Maturity Model and/or Balanced Scorecard systems. CMM and Balanced Scorecard can help in benchmarking where you are, compared to where you want to be.
CMM uses a 1-5 scale to determine the maturity of an area or process. A “1” is used to indicate ad hoc items where no formal systems/policies/procedures are in place to guide or determine how (or how well) things are done. A “5” indicates formal processes (systems, policies, standards, procedures) are implemented throughout the enterprise and these processes are monitored, managed and optimized. Elements of CMM are included in the COBIT framework.
Balanced Scorecard looks at processes and activities and analyzes/measures them from four perspectives: (1) learning and growth, (2) business process, (3) customer and (4) financial. The use of these four perspectives can provide for more robust measurement of status, achievement and alignment with organizational objectives.
When considering these resources and deciding which one to use, do not limit yourself to picking a single system or framework. For many of these, you can find help showing how they can be integrated and matched with each other. For example, NIST documents can be used to develop the goals and objectives for your information security program. You can then use CMM or Balanced Scorecard to assist in developing your strategy’s “desired state” (your goal) and measuring progress toward that state. Or, you could choose to build your program using the ISO standards and then use CMM to assist in setting goals (i.e. ...achieve a level 4 maturity rating in ...) and monitoring progress toward that goal.
Selecting a framework and producing an information security strategy for your credit union may not be an easy decision or a project you feel comfortable tackling. But, few decisions impacting the future operations of the credit union are entirely comfortable. As any contractor will tell you, getting a building built without a blueprint is a near impossibility. And as many of you know, the time spent on design and working on those blueprints is what separates a “nice” branch from a “Wow!” branch.
Once you understand where you want to go and where you are at, you can begin developing your plans on moving from “here” to “there.” As you make this consideration, it’s important to look at and consider the resources at your disposal for this. In our next part, we will examine your resources in more detail.
Jim Benlein, CISA, CISM, is owner of KGS Consulting, Silverdale, Wash.