CHAPTER 8: IMPLEMENTATION TIPS
There are different ways to approach cyber security, and the ‘right’ one will depend on your organisation’s specific needs. Nevertheless, after helping many organisations improve their security over several decades, here at IT Governance, we have learned what organisations should do to ensure their implementation project is a success.
Establish requirements and objectives
One of the first things you should do in any security project, as this will impact other early-stage planning such as gathering the necessary resources and scoping, is to establish exactly what your security requirements and objectives are. Here are some points to consider:
• What security-related regulatory and contractual requirements do I have?
• What are my customers’ expectations with respect to security?
• What are my partners and competitors doing in terms of security?
• How mature is my current security?
It is important you clearly document your security requirements and objectives, and make sure they align to your business goals.
Define scope
Scoping is fundamental to any project. You need to know the boundaries of what you are planning to implement, which you can derive from the requirements and objectives you should have already established. To meet those requirements and objectives, which assets do you need to protect? Which can you exclude? By documenting the justifications for any exclusions, as well as double-checking you have accounted for all your requirements and objectives, you can ensure that your scope is not too narrow.
The larger and more complex your organisation, the harder it will be to determine your scope. Small and medium-sized businesses should find it easier to establish their scope: the whole organisation. This is because there will probably be fundamental connections between all the information systems and day-to-day working relationships within the business that make it either extremely difficult or impractical to try to segregate one part of the organisation from another.
The notion of segregation lies at the heart of effective scoping: ultimately, you are going to try to create an impregnable barrier between the part of your organisation that is within the scope of your project and everything else. You have to be categorical about what is inside your information fortress and what is outside – no information systems, devices or business units should be both inside and outside, because that would be your weak point in the wall.
Whatever your scope, make sure you clearly document it. Also be sure to check that you have accounted for portable devices and Cloud-based components – if your organisation uses them, your documented scope needs to clearly include or exclude them.
Define roles and responsibilities
While every member of staff has general security responsibilities, like choosing secure passwords and not leaving paperwork lying around, you will also need dedicated security roles and responsibilities to, for example, implement your chosen security measures. You will also need to assign responsibilities for performing security activities like reviewing security configurations or investigating anomalies that could signify a security breach. Owners of processes that have direct security implications, like data processing activities, can also be considered to have a security role or security responsibilities.
You will also need a security manager – the person responsible for maintaining your overall security programme. They will likely also be the first point of contact if there is a security issue. In fact, there are usually legal requirements that stipulate you must assign responsibilities for communicating with data subjects and relevant authorities, conducting impact assessments, and so on. A particularly well-known example is the data protection officer (DPO) role under the GDPR.
Many such security-specific responsibilities require specialised skills and ideally practical experience, which many organisations, especially smaller ones, do not tend to have among existing staff. For those organisations, outsourcing those responsibilities can be an extremely cost-effective solution. That said, even if you outsource, you need to identify your competence needs first, and preferably at an early stage of your security project. Also make sure that the people given security responsibilities, whether internal or not, have the authority to perform the activities they are responsible for.
Remember your documentation
Chapter 5 mentioned that an effective security system requires people, processes and technology, but that the first two are often neglected. As a result, implemented measures can become partially or completely ineffective. However, for people and processes to be truly effective from a security standpoint, you need supporting documentation such as policies, procedures and records. These allow your processes to be clearly and efficiently communicated to all people who need to know about them, as well as ensure those processes are consistently followed.
The very act of documenting your security-related processes (as well as producing all other necessary documentation) has other advantages too, such as developing a much greater depth of knowledge and awareness of how to implement and maintain security, as well as providing solid records of the decisions made (for example, the controls you selected and the justifications for them). It will also help you look at existing processes with fresh eyes, so you can identify and eliminate inefficiencies.
Documenting your processes also makes it much easier to review them at regular intervals further down the line, whether by the process owner or a fresh pair of eyes (such as a new starter’s), and communicate any updates or improvements. Make sure you use version control, so it is always clear which is the latest document.
Furthermore, keeping good records and other documentation will help demonstrate your security efforts to an auditor or a regulator, should you be subject to an audit or investigation. For your documentation to truly reflect how you do security, however, it must be considered and developed from an early stage in your security project.
Chapter 23 goes into more detail on the different types of documentation and the purpose of each.
Conduct a gap analysis
Here at IT Governance, we usually recommend conducting a gap analysis when embarking on an implementation project, particularly when looking to achieve compliance with a particular cyber security (or data privacy) law or framework, like the GDPR or ISO 27001. However, you can also use it even if you do not intend to achieve compliance with any specific framework.
That said, for a gap analysis to work, you need to define your ideal target state. This will almost certainly be based on your risk assessment results. Once you have defined your target, you can compare it against your current security and identify where there are any shortfalls. Those are the gaps you can then use as the basis for your implementation or project plan. At this stage, that can be a very high-level one, but it should make key objectives, responsibilities, timelines and required resources clear.