Monday, February 3, 2020

7 Steps to Stronger Security

Achieving compliance and enhanced security can seem overwhelming when faced with a long list of individual controls and findings. And getting support from executives and stakeholders is also challenging. To organize the efforts and communicate to executives and stakeholders, the following 7-step approach is helpful.

The chart below defines roles and responsibilities. In less mature organizations, stakeholders and executives may look to InfoSec to take care of compliance and security tasks. InfoSec is responsible for leading the efforts and deploying its set of controls but other departments will need to deploy, use and maintain controls.

The seven steps will be repeated for each security topic such as access management, configuration management, training, etc.  Less mature organizations focus on just the first two steps: “Define Policies” and “Deploy Controls”. Although completing the first two steps is a great start that should be celebrated, it is insufficient to achieve compliance.

Please note that “Business Owner” is used broadly. For example, for configuration management, the Business Owner is Engineering. In some cases, the Business Owner is InfoSec such as for Risk Management and Incident Response.


Activity /

Primary Responsibility


1.      Define policies 

InfoSec reviews in-scope regulations, frameworks and HIQ documents to develop and publish consolidated policies.


Legal, HR, Finance to review and approve functional related topics

2.      Deploy controls

Business Owners deploy technical, administrative, and physical controls. 


InfoSec approves proposed solution to satisfy the controls.

3.      Develop procedures

Business Owners develop procedures on how to use the controls.


InfoSec provides templates and approves procedures. There may be several procedures that support a policy since different departments, technology or systems require different approaches.

4.      Use controls and procedure(s)

Business Owners use and enforce controls and related procedures consistently. 


InfoSec works with Business Owners to handle exceptions.

5.      Measure usage of controls

Business Owners develop metrics to measure how well controls are satisfied. Business Owner corrects significant deviations. 


InfoSec receives reports and consolidates into scorecard

6.      Complete annual assessment 

Assessor reviews controls and provides findings and observations.

Business Owners provide samples that Assessor requests

Business Owners remediates all findings.


InfoSec packages evidence provided by the Business Owner that controls are satisfied. 

InfoSec orchestrates assessment and manages Assessor. 

7.      Maintain  

Business Owners complete steps 2 – 6 for any new controls.

Business Owners complete annual review of deployed controls and upgrade as necessary. For example, tools used to satisfy controls require regular upgrades.


InfoSec updates the policy as required (new regulations, new risks).


No comments:

Post a Comment