This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Information Security Top-Down

Information Security Top-Down

December 1, 2004
Reprints
No Comments
This is the era of cyber terrorism1, spamming2, identity thefts3 and regulatory compliance requirements4. Enterprises are and need to be more conscious about how they expose themselves to the outside world; how they trust outsiders as well as insiders, what they do with consumers’ data; and how they keep their business sustained, despite disasters5. While reactive enterprises just counter threats that they were victims of, proactive organizations have started leveraging the investment on security to business value additions6. The challenges to enterprises vary from simple loss of customer confidence to legal implications7. The reports on security incidents8, identity thefts3 and government initiatives in the last decade are direct evidence for how serious enterprises have to be.

Challenges and remedies

Many private9,10, academic8 and federal initiatives11 are trying to address the growing needs and challenges faced by the enterprises. Each initiative differs in its objective, scope, comprehensiveness and target audience. Some are simple policies and procedures, others are more comprehensive recommendations and best practices9,10,11,12. The laws listed in Table 1 demonstrate that privacy of user data, information confidentiality, integrity and availability of data or service and means to realize them are the central demands. While some legislation requires extensive confidentiality mechanisms to be put in place, others emphasize data availability and other operational procedures. Enterprises that fall in one of the regulated categories will need to have the infrastructure and mechanisms in place to guarantee compliance. Having identified the reasoning, remedies and repercussions associated with information security, enterprises need to develop due diligent practices and programs. Figure 1 is the scenario; Tables 1 and 2 enumerate the requirements.

Bottom-up vs. top-down approach

Organizations have dealt with the problem of security management through varied means. Traditionally, enterprises have adapted a bottom-up approach, in which operational staff initiate the process then propagate their findings upward to management as proposed policy recommendations. As management has no information on what is the threat associated, its implications, idea on resource allocations, possible return and method to implement security, this approach has at times sparked a fiasco.

On the contrary, a reverse look on the entire issue, the top-down approach is proving to be highly successful. Here, management understands the seriousness and initiates the process, which is then systematically percolated down to operations staff.

Executive management

The top-down approach begins with management establishing a framework for initiating and implementing security practices in the enterprise. Management can consult the Federal Information Security Management (FISMA) and ISO 17799 standard. FISMA highly emphasizes the need for management hierarchy and a delegation of roles. Though it has been at federal agencies, it can help private enterprises too. ISO-17799 can help in implementing a security program throughout an organization. As an inherent duty of the executive, controlling costs and devising a strategy to maximize return represents a paramount objective. To meet this objective, management must align their business objectives with the recommendations of new standards. Methodologies8 such as the Security Attribute Evaluation Method, developed by Carnegie Melon University, and fault tree analysis can help to perform cost benefit analyses and risk assessment studies. Such methods can help to choose one security architecture over another.

Security policies and procedures are the starting point of establishing a central security initiative.

Operations

Mainly constituted by physical administrative and technical security, the operations layer ensures secure operation of the components integrated into an infrastructure. Disaster recovery procedures5, business continuity planning, remote backup facilities, secure integration of application, middleware, back-end-layers and documentation of various infrastructure elements have to be in place to meet operational security and continuity. The National Institute of Standards and Technology (NIST)10 and CERT8 have published several guidelines and checklists to address this layer’s requirements.

Technology

Enterprises build and acquire solutions to accomplish their business goals and processes. Recently the trend is shifting towards procuring commercial, off-the-shelf products (COTS)22. Many federal regulations, including FISMA, strongly recommend that agencies consider purchasing pre-made integrated software for regulatory compliance from large software vendors.

Security metrics are essentially the processes and tools for facilitating upper management in decision making about performance, accountability and reporting processes associated with the security program. An effective security metrics program in an enterprise provides useful data for allocation of resources. A structured existence of the program in a top-down approach is a prerequisite for any metrics program. An NIST10 (800-55) guide entitled Security Metrics Guide for Information Technology Systems discusses the components of an organizational metrics program and the means to accomplish it. The information gathered from various layers is used as input to the metric program and, in turn, provides input for upper management to translate investments into a comprehendible return.

Framework and security model based approach

Recently, the Business Software Alliance23 observed that a top-down approach would be ineffective unless there was a “governance framework” in place in the upper layers that defined roles and delegated responsibilities within the management structure. FISMA also strongly emphasized the importance of team members knowing where responsibilities lay.

Such a framework can accelerate progress and increase management’s accountability, as discussed in PricewaterhouseCoopers’24 paper titled Excellence in Security. The Information Systems Audit and Control Association12 published its collection of documents concerning governance and control objectives as an online resource dubbed “CoBIT”12.

Conclusion

Companies small and large all have to lay out a clear roadmap and coherent infrastructure for their security needs. Following due diligence not only can sustain a business and protect it, it can also prepare the enterprise for future compliance needs. Treat security more as a governance issue than a technology issue.

References

1. http://cybercrimes.net/Terrorism/terrorism.html

2. www.spammingbureau.com

3. www.consumer.gov/idtheft/

4. IT Security Technologies Can Address Regulatory

Compliance by Gartner Inc. (Feb, 2004)

5. http://secinf.net/disaster_recovery

6. The Definitive Guide to Identity Management

from Rainbow Technologies Inc.

7. HIPAA Privacy, Security and Legal

Implications at www.rx2000.org

8. www.cert.org

9. www.iso-17799.com

10. www.nist.gov

11. FISMA resource at www.chips.navy.mil

12. http://isaca.org

13. www.sarbanes-oxley.com

14. www.hhs.gov/ocr/hipaa

15. www.ftc.gov/privacy/glbact/glb-faq.htm

16. www.fda.gov/ora/compliance_ref/part11/

17. www.epic.org/privacy/terrorism/hr3162.html

18. www.ferc.gov/legal/ferc-regs.asp

19. www.bis.org

20. www.iso-standards-international.com/

21. The standard of good practice for Information

Security, www.securityforum.org

22. www.sei.cmu.edu/cbs/

23. Information Security Governance: Toward a

Framework for Action at www.bsa.org

24. Excellence in Security at www.pwc.com

Subscribe to Security Magazine

Related Articles

Special Online Feature: Information Security WORK TOP-DOWN

Information Security Forum Predicts 2020's Top Global Security Threats

Study Exposes Employee Negligence as Top Information Security Risk to U.S. Businesses

Related Products

Security of Information and Communication Networks

Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

Risk Analysis and the Security Survey, 4th Edition

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

Mark Hargraves

Security Industry Mourns Passing of Mark Hargraves

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing