editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
When discussing security management for a business, it helps to have a structure to work with. This structure will group the measures you can take by the type of action and impacted areas of the business, letting you review and approach each area in turn rather than trying to tackle everything at once.
There are a number of frameworks for information security that each define their own version of these areas. In this section we will cover a simplified version of the international (and global standard) framework, ISO 27001.
| Domain | Aim |
|---|---|
| Security policy | Sets the direction and expectations for security within a business, often aiming to align the business with customer, business, legal or regulatory requirements. |
| Organization of information security | Provides a structure for managing security within the business, both in terms of internal roles and ownership and how risk is managed when working with external parties. |
| Asset management | Understands, monitors and protects business assets such as computers, files, and devices, as well as the information stored on them. |
| Human resources security | Considers security throughout a person’s employment with your business, from initial hire, to the evolution of their role and their eventual exit. |
| Physical and environmental security | Prevents authorized access to sensitive business areas and protect the devices, information, and people within them. |
| Communications and operations management | Manages the security impacts of many of our businesses operational processes including communications, working with 3rd party service providers, planning technology projects and handling information. |
| Access control | Controls access to systems, devices, or processes that handle sensitive or critical business information, preventing access to those without need. |
| Information systems acquisition, development and maintenance | Weaves security into our processes for procuring, designing, building, configuring and maintaining systems so that vulnerabilities can be avoided or identified early and addressed. |
| Information security incident management | Provides mechanisms for security events and weaknesses to be reported within the organization and corrected, as well as creating a feedback loop to capture lessons learned from security incidents and vulnerabilities. |
| Business continuity management | Prepares the business and its critical processes to recover from major disruptions and incidents, minimizing their impact and the time taken to resume operations. |
| Compliance | Ensures and validates that the business meets internal, legal, contractual and regulatory information security requirements. |
While there is no need for you to memorize the above domains, it’s worth familiarizing yourself with the structure and some common themes.
Specifically, you’ll notice that all of the above domains fit into one of three themes: management, prevention, and response.
Definition Management domains aim to set the direction and security expectations for your organization, and will often involve thinking about and planning how you would like security to be handled by your team. These practices and associated policies are then used as a measure to decide if your team has met your expectations when approaching security tasks.
Definition Prevention domains aim to identify risks and threats that apply to your business and take steps to reduce the likelihood of them happening. While there are no guarantees in security, and rarely can we be sure that we have stopped a security vulnerability from occurring, prevention aims to do the best we can to protect what matters.
Definition Response domains are those focused on events that could potentially happen. They are the mechanisms we use to predict and plan for security incidents and disruptions to our operations. These domains act like the cards in the seat back of your plane. While we all hope nothing goes wrong on our flight, we know it’s important to read the card and know what to do—just in case. These domains aim to respond quickly and effectively as bad things happen, so that we can minimize the impact on the business and restore operations to normal as soon as possible.
Let’s reorganize our domains by these categories.
| Management | Prevention | Response |
|---|---|---|
| • Security policy • Organization of information security • Compliance | • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance | • Information security incident management • Business continuity management |
As this table shows, there is a lot more for us to do when trying to practically protect our data and prevent security incidents than simply managing our security approach or planning our response. While the table is a simplification, it’s a nice reminder that our security to-do list is long and mostly contains changes we need to make to our systems and processes, rather than just creating documentation.
🚀 As explained by Laura
When it comes to figuring out how much security is “enough” for your business, there is no “one-size-fits-all” template you can follow. Use the following prompts to understand how your business, industry, and aspirations will affect how much or how little security will be needed for your stage.
Factors affecting your minimum viable security requirements: