ESTABLISHING A BUSINESS-FOCUSED SECURITY ASSURANCE PROGRAMMECONFIDENCE IN CONTROLS

How secure is your organisation’s information? At any given moment, can a security leader look an executive in the eye and tell them how well business processes, projects and supporting assets are protected?

Security assurance should provide relevant stakeholders with a clear, objective picture of the effectiveness of information security controls. But in a fast-moving, interconnected world where the threat landscape is constantly evolving, many security assurance programmes are unable to keep pace. Ineffective programmes that do not focus sufficiently on the needs of the business can provide a false level of confidence.

Establishing a Business-Focused Security Assurance Programme: Confidence in controls explores how individuals responsible for providing security assurance in their organisation can meet the specific needs of business stakeholders. The report provides a framework around which to ask the right questions:

‒ what do business stakeholders need from security? ‒ how do they want information to be reported? ‒ which assurance activities will provide results that offer the right level of confidence in controls?

Only 32% of ISF Members are satisfied with their current security assurance programme

79% want to take a more business-focused approach

ESTABLISHING A BUSINESS-FOCUSED SECURITY ASSURANCE PROGRAMMECONFIDENCE IN CONTROLS

Current approaches to security assurance are often insufficiently focused on what the business wants, or prioritise validating control implementation over testing control effectiveness.

Organisations can use and tailor the ISF Approach to Establishing a Business-Focused Security Assurance Programme to update existing approaches to security assurance, augment existing processes or build a completely new security assurance capability.

The ISF Approach helps to: ‒ identify what business stakeholders want from security assurance ‒ break down requirements into manageable tasks ‒ apply a repeatable security assurance process across multiple target environments (i.e. business processes, projects and supporting assets, in specific business units and regions or across the organisation).

WHAT BUSINESS STAKEHOLDERS WANT FROM SECURITY

Target environmentsBusiness processes,

projects and supportingassets

Limit financial loss

Remain operational

Be protected against cyber attacks

Prevent leakage of sensitive information

Enable fast, effective response to security incidents

Meet legal, regulatory and compliance requirements

Maintain good user experience

Provide timely, accurateand reliable data

In most cases, new approaches to security assurance should be more of an evolution than a revolution. Organisations can build on existing compliance-based approaches rather than replace them, taking small steps to see what works and what does not. Establishing a business-focused security assurance programme that provides the right level of confidence in controls is a long-term and ongoing investment. The ISF Approach helps organisations to review current approaches and determine how to turn aspirations into reality.

There is no time like the present to begin the evolution.

REVIEW CURRENT security assurance programme

BUILD FUTURE security assurance programme

1. Set objectives

2. Define scope

3. Assess controls

4. Measure performance

5. Report main findings

Define fundamentals

Apply repeatable process

INFORM > SPECIFY >

< DETERMINETarget

environment(s)Security assurance

activities

Stakeholder(s)

THE ISF APPROACH TO ESTABLISHING A BUSINESS-FOCUSED SECURITY ASSURANCE PROGRAMME

CONTACTFor further information contact:

Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953800steve.durbin@securityforum.orgsecurityforum.org

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

©2019 Information Security Forum Limited

WHERE NEXT?Establishing a Business-Focused Security Assurance Programme: Confidence in controls is aimed at individuals who are tasked with providing security assurance for an organisation. It equips them to set up and run a security assurance programme that focuses on the needs of the business by:

‒ outlining the need for change towards a business-focused approach

‒ identifying how to move from current to future approaches

‒ introducing three fundamental elements that underpin successful business-focused security assurance

‒ describing a five-step, repeatable process to provide security assurance.

Organisations should also consider the ISF resources related to the report including Information Security Assurance: An overview for implementing an information security assurance programme, Security Audit of Critical Business Applications, Engaged Reporting: Fact and fortitude, Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own, Protecting the Crown Jewels: How to secure mission-critical information assets, Quantitative Techniques in Information Risk Analysis: Extracting value from uncertainty.

Consultancy services from the ISF provide Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.

The report is available free of charge to ISF Members and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.

REFERENCE: ISF 19 03 02 | CLASSIFICATION: Public, no restrictions