The Security Improvement Cycle – 5 key components
Kaon Security advocate the application of the Security Improvement Cycle to all organisations and we have developed professional services and capabilities through the complete cycle to help organisations build their posture over time to reduce cyber security risks. It is through close and long term partnerships with our customers that we ultimately achieve the best results that enable the executive management and board members to have confidence that they are addressing those risks with a measured and effective approach.
Establish or adjust policy
IT policies aligned to international best practice are foundational to the security posture of an organisation. As a business evolves, compliance demands change and the threat landscape shifts, policies should be adjusted to accurately describe the expected level of protection of information and systems.
Promote Security Awareness
User awareness of IT policies and of current threats should be driven through proactive campaigns, otherwise human error will make an organisation vulnerable. Each organisation is different therefore awareness campaigns and training methods should be tailored to fit the culture and maturity of the business.
Implement Processes and Procedures
Processes and procedures need to be documented and consistently followed to maintain a robust security posture. Operational security has to reflect the companies policies and be a team effort between management, human resources and IT. Included in this effort must be the business as usual processes such as patch and change management, but also incident response and BCP/DR plans to help mitigate against the impact of a cyberattack.
Technical controls that include conventional or more advanced defences need to be configured to reflect policy and ideally automate aspects of security operations in line with the company’s processes and procedures.
Audit and Monitor for Compliance
Security auditing should be conducted on an annual basis to identify weaknesses in human factors, operational processes or controls. In response to the ever changing threat landscape this periodic testing needs to be supplemented by continuous monitoring of the environment to identify and report on anomalies and attacks. Very commonly audit results indicate a need for further improvements in policies, awareness, procedures and controls and so the improvement cycle continues to ensure that the organisation’s security posture meets a desired target state.
These five key components of the cycle are intrinsically linked, adjusting or improving one area normally requires a change in the others. Ignoring one of these components inevitably means that it becomes the weakest link in the chain and the overall strength of the security posture of an organisation is potentially compromised.