In the last posting, we talked about convergence security which was created by combining physical and information security. Today we’ll learn about how to adopt a security management system as the sixth posting in our series.
Lately, security is understood to be necessary regardless of a company’s size. According to a survey conducted in 2013, from small businesses in Korea, 10.2% of them had experienced damages caused by technology leaks in the previous three years. One leak resulted in nearly $1.6 million. The protective skills of small businesses in Korea still remain on the ‘vulnerable’ level scoring about 43.3 points, according to a report on the Technology Protection Policy and Its Tasks. Their scores only reach about 66.1% of what large companies earned.
Another reason why small businesses are pushed to know more about security is because of issues which emerged while managing partnered companies. The cause of the recent security incident at financial companies was revealed to be staff members from partnered companies, which led to the creation of regulations strengthening the management and supervision over partners. The Privacy Act also emphasizes the responsibility of the consigned company in managing personal information.
Large corporations, which are already prepared with their own security measures, adopt tougher management rules for partners that are usually small businesses. Such move created the necessity for stronger security measures for small companies as well. Many partnered companies, however, do not have a very deep understanding of security, although they are asked to adopt a better security strategy. First of all, not many of them have the staff focusing on security work only because of lack of workers. Even if they have a security manager, lack of professionalism keeps them from actually pushing through with the security projects.
LG CNS would like to share some information and help those security managers get rid of their concerns about adopting a new security management system through this posting.
Security is for protecting resources from external threats, and a security management system is designed to define what resources are worth protecting and why, as well as to establish the protocol to follow to protect them. One of the most important roles of a management system is to assign specific roles and responsibilities to the right people so the entire process can operate smoothly.
[Chart 1] shows an example of a security management system. It constructs a decision making system with the security committee for governance, and performs the PDCA (Plan-Do-Check-Act) process. It uses the ISO27001 verification system as a base to perform the process and connects it to the business strategy while responding to security threats and following regulations/supervisory standards,
It is good to remember three things when starting to construct a security management system: an approach considering GRC (Governance, Risk, and Compliance). Each of them stands for the effective system to execute security policy, response according to the security risk analysis, and Compliance to regulations.
What is required for governance is a security review system performed by the management. This is for final decision making and approval for annual and mid/long-term security plans while examining the results of risk evaluation and vulnerability check-ups. They also get a regular report on their current security plans effectiveness and examine improvement plans.
The next is to establish security measures derived from the risks and managing the risk through regular risk evaluations. There are many methods to risk management. You can get a better idea of it from another posting, the LG CNS approaches to the security risk analysis (http://www.lgcnsblog.com/features/when-will-our-office-be-completely-secure-approaches-to-security-risk-analysis/).
The last is to examine the regulations and supervisory standards on a regular basis while establishing measures reflecting them. It may be difficult to apply all the related regulations in the beginning, therefore, it is good to examine the ones that are socially trending first, and then complement it continuously by consulting with the staff in charge about the detail. Consider getting help from an expert as well if you have difficulty.
The most common way is to draw the basic requirements and establish security rules that satisfy these requirements. The requirements can be found from the items necessary in a security management system and what is mentioned in the related regulations. This is to define what items will be applied and become the basis of the system.
This is, however, also an approach with a high risk, because at the start of the project for the first time, it could get confused by the amount of related documents and the unclear boundary for security definitions. Papers like “The Execution Guideline on Specific Security Control to Protect Technologies of Small Business” will help you understand what to do in detail. It is also necessary for each country to create its own security management certification and evaluation system.
For your information, Korea has ISO27001 (International Organization for Standardization), ISMS (Information Security Management System), PIMS (Personal Information Management System), PIPL (Personal Information Protection Level), and the Information Security Preparation Evaluation, as their security management certification.
Next is to take the best practice and tweak it to have it fit better for the company. The risk factor of this method is that you may pick the wrong case as the best practice, but this is a more realistic way compared to the textbook-like establishment method. The following table is a part of the information security standards frame from LG CNS, presented as an example of the best practice.
The best practice method requires collecting information from the Internet related companies, and this can be difficult since the field of security is built upon limited access to valuable information. This approach, however, is still a possible way to start with a new system.
One of the things to consider while establishing a security management system is if there will be personnel specifically assigned for the work related to security. Having someone designated for security or not becomes a big part of the decision on how broad their security work is going to be. It’s also possible to examine if the company needs someone assigned only to security related work by considering what tasks are needed to keep everything secure.
You can predict how many staff members will be necessary to perform key tasks with [Chart 2] as a reference to figure out what needs to be done to keep a security management system. Constructing the specific activities for security can be followed based on this process.
We have talked a lot about how to adopt a security management system, but what needs to be considered when adopting a new system?
Many people want to create a perfect system at once when adopting a new security management system, but the so called ‘perfect system’ does not exist. When you keep working on it, the system will progress toward a more perfect state. What is important is to figure out what you can make possible and start from there, then incorporate more to expand its territory as it goes on.
One of the biggest characteristics security has is that it is not just the security manager’s job, but that of every member of the organization. Security measures may also make some people uncomfortable as its precondition is that no one can be trusted. Once you think of security this way, it may come to you as just an annoying procedure always getting in your way.
In this case, the person in charge of security ends up feeling lost about what to do with the security management system, and security measures may even get left behind as a secondary task along with its limits for real world use. One of the biggest difficulties in security, therefore, is to keep its importance understood to everyone while making sure the workers feel trusted.
I hope this posting helps to those who are about to take their first step toward adopting a new security management system. I also look forward to seeing more companies with a safe system suited for the characteristics of their organization.
In the seventh posting, we will learn about the security vulnerabilities of IoT and their countermeasures.
Written by Wonkye Choi, deputy department head at LG CNS Security Consulting Team
Link for previous article series
Countermeasures to Card Security Issues Focusing on Access Card Duplication
– A to Z Security Consulting from LG CNS (1) –
Security Information and Event Management Solution
– A to Z Security Consulting from LG CNS (2) –
How Well Is Your Medical Data Secured?
– A to Z Security Consulting from LG CNS (3) –
When Will Our Office Be Completely Secure? (Approaches to Security Risk Analysis)
– Security Consulting A to Z with LG CNS (Part 4) –
Physical Security and Information Security into Convergence Security
– A to Z Security Consulting from LG CNS (5) –