Information Security Forum Releases Establishing a Business-Focused Security Assurance Program
Latest Report Explores How Individuals Responsible for Providing Security Assurance Can Meet Explicit Needs of Stakeholders
By: Information Security Forum
Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. However, there is often a significant gap between goals and reality. Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses. Establishing a Business-Focused Security Assurance Program explains how organizations can build on existing compliance-based approaches rather than replace them.
"Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are," said Steve Durbin, Managing Director, ISF. "A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization:
Business-focused security assurance programs can build on existing compliance-based approaches by:
· Identifying the specific needs of different business stakeholders
· Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
· Reporting on security in a business context
· Leveraging skills, expertise and technology from within and outside the organization
Most organizations run a security assurance program of some kind, but implementation varies significantly. A successful, business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should actively engage with each other to make sure that requirements are realistic and expectations are understood by all.
"In today's fast-moving business environment, filled with constantly evolving cyber threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,"
The ISF Approach to Establishing a Business-Focused Security Assurance Program is designed to be flexible, enabling individuals tasked with providing security assurance to ask the right questions of business leaders and perform the activities that will deliver the most pertinent results. By developing a flexible, repeatable security assurance process, organizations can promote continuous learning and improvement:
This report is primarily directed at individuals who are tasked with providing security assurance for an organization. These can include security managers, security specialists, security architects, project/program managers, business analysts (within the IT department) and legal and regulatory compliance specialists. The report will also be of interest to individuals in senior management who have a governance and oversight role including the Chief Information Security Officer (CISO), Chief Information Officer (CIO), Chief Risk Officer (CRO) and Head of Audit. Establishing a Business-Focused Security Assurance Program is available now to ISF Member companies via the ISF website (http://www.securityforum.org/
About the Information Security Forum
Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. The ISF is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. By working together, ISF Members avoid the major expenditure required to reach the same goals on their own. Consultancy services are available and provide ISF Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.
For more information on ISF membership, please visit https://www.securityforum.org/