Given all the attention-grabbing headlines around cybersecurity, and the strong desire to avoid becoming one of those headlines, it’s tempting for many businesses and organizations to hand over responsibility for information security to an external managed security service provider (MSSP) and move on.
But such an approach often fails to consider that security programs consist of multiple areas of focus, one of which is information security. Other programs include physical security and personnel security, among others. Rather than setting up cybersecurity programs in isolation, organizations should look to integrate information security within the context of a wholistic security program that delivers the ultimate goal of “mission assurance.”
Under the umbrella of mission assurance are the three building blocks of safety, durability and resilience that are ideally supported by a security program, an incident response program and a business continuity program. The security program should provide the ability to avoid, deter, prevent, or rapidly detect and negate incidents before damage is realized. Should an incident occur despite the protection offered by the security program, the organization then initiates their incident response plan.
Incident response programs should incorporate a variety of different incident categories, including information security incidents. Other categories might involve criminal behavior, significant employee misconduct, and other event types that may have significant consequences but don’t actually disrupt business operations. Events severe enough to disrupt operations are when business continuity plans come into play.
A business continuity program provides a unified set of supporting plans that range from disaster recovery to crisis communications. The programs are mainly focused on restoring critical business functions (CBFs) to acceptable operating levels after a disruption. Information security should support business continuity planning by identifying where organizations’ CBFs depend on information and IT and providing the means to meet those needs quickly without sacrificing information security.
Information security is just one aspect of a comprehensive mission assurance program, but should be woven throughout.
Information security is a component within each of the security and continuity programs. It goes beyond most other program components, however, because of the ubiquity of information and information technology within modern organizations. Information security programs must include considerations for physical security, personnel security, and other topics that go far beyond the scope of IT systems. An information security program may include a variety of issue-specific policies including:
- Information Security Awareness Training Policy (touches personnel security and administration)
- Information Systems Acceptable Use Policy (touches personnel security and administration)
- Information Systems User Management Policy (touches personnel security and administration)
- Information Systems Configuration, Change, and Vulnerability Management Policy
- Information Systems Access Control Policy
- Information Systems Continuous Monitoring Policy
- Information Systems Physical Security Policy (touches physical security)
- Communications Security Policy
- Data Retention and Disposal Security Policy (touches physical security)
- Secure Software Development Lifecycle Policy
Looking at this policy list, several are clearly concerned with other aspects of a robust security program, such as security facilities and personnel, which have their own policies and complexities. As such, cyber programs can’t supersede or override any policies developed for adjacent security programs. Instead, information security requirements must be coordinated and cross-referenced with other security programs wherever they cross into other programs’ domains. Here are some examples:
- Information Systems Acceptable Use Policy <—-> Reference in the Employee Handbook
- Information Security Awareness Training Policy <—-> Reference in the Employee Training Standards
- Information Systems User Management Policy <—-> Reference in the Employee Hiring, Transfer, and Termination Procedures
- Information Systems Physical Security Policy <—-> Reference in the Facility Security Plan
- Data Retention and Disposal Policy <—-> Reference in the Document Handling Policy
These relationships between programs illustrate how information security should be part of a larger, collaborative effort that involves multiple stakeholders. While it can be tempting for many organizations to bring in an MSSP and assign them a narrow focus to improve information security, the broader goal of mission assurance is much more likely to be achieved if the MSSP is integrated not only into the security program but incident response and business continuity programs as well.