I believe a great concept was introduced by ITIL with the definition of “Portfolios” or “Catalogues”. The idea is quite simple and of great use: define your services, spend some time thinking what they cost, what they, for whom, how you measure their efficacy and if you are brave enough: their efficiency.
Having this information provides a wealth of inputs for prioritising tasks, projects, operational incidents, Etc.
This same concept applies without much trouble to Security. Most Security Departments provide services of some type: Account Reviews, Firewalls, Physical Controls, Etc. They might deliver those by themselves or using a third party (perhaps an IT department, perhaps an outsourced team). Still, is the same.
The added value I see on applying this concept (not really a novelty by 2013) on Security Departments controls are actually mitigating something (Risks, Compliance Requirements, Etc.):
- You can finally can visualize the “Mitigation effort” (Security Control-s- from the catalogue) Vs “Mitigation Target” (risk, compliances, etc). Is it really worth it?
- You will find, that one control applies to multiple “Mitigation Targets”. It’s actually a many to many relation and when you deal with multiple-compliance requirements this approach of catalogues is a huge time-saver.
We used this successfully in the last year. We found Physical Controls where hugely expensive (OPEX, CAPEX, Resources) and time consuming (Access Reviews, CCTV systems with issues, Doors not closing well, Etc.). In the other side, we hardly had an incident of this type (Theft, Etc.) and even when they where required by most compliance requirements, we knew we where well beyond the requirements and could afford simplifying the control without risking compliance. Risk wise, this control mitigated medium to low risks (whatever that meant to us).
In the other side, User Account reviews had almost no cost (at least in financial aspects) but had been subject on nearly every internal audit with findings. This item was matched on most Risk Assets and Third Parties (so it ranked well above) and was in every single compliance requirement. Besides, we always get audited on this.
Graphically it’s not difficult to see this with eramba:
Look the OPEX, is massive (and this is only manned guards) while the Risk Score is really low (This is calculated by summing all the risks scores where this control is used) and the compliance items.
Now look the Active Directory reviews … it’s doesnt involve CAPEX or OPEX (other than 20 days a year of human effort), the Risk Score is huge (58 compared 4 to the manned guards) and the number of mitigation (how many times this control is used to mitigate a compliance requirement) is three times more.
I dont mean to stop investing in Physical Security, its still on the Risk and Compliance landscape, but certainly that level of investment could be used for controls where the Criticality is higher and the human involvement is big (20 days a year).
The way we document Security Controls in eramba is quite simple still useful:
If you need to improve efficiency of resources (human, financial, Etc.) you are simply one sort away from getting that information. Let say you need resource efficiency, sort controls by the level of resources required to support it and look for ways of automatising this actions.
I’m a big fan of Control Catalogues. They provide me with the information I need to report and make decisions. It’s had to build them for the first time, but it pays off very well.
Cheers – Esteban