Information security must be managed in a neatly structured way. This is the subject of the fifth GRC: Be Connected! webinar, including some views on popular ‘frameworks’ as CISM, NIST an ISO 27001.
GRC: Be Connected! about information security management
For the first speaker, Marc Vael, CISO at ESKO (‘The real strategic value of CISM’), three certifications structured his career and his approach to information security management: (ISC)2’s CISSP (in 1994), C-CISO (2004) and in particular ISACA’s CISM (2007). Starting out in a world without specific security-focused courses, he embarked on his path to becoming a CISO by self-analysis: what do I like to do? Studying applied economics, he loved IT. Through continuous (self-)study, and a series of jobs (development, quality assurance, auditing…) he leveraged his certifications into his rich career to date.
His use of CISM’s structured approach insures an alignment between ‘what you do’ and the goals of your organization. At ESKO, his information security management covers six aspects: security governance/risk, security business support, security operations, IT compliance, security innovation (important!) and security incidents. Some final advice? Keep abreast with threats and the changing world of cyber security; stick a CISO mind map to the wall to remember the many facets of your role; and live by the CISO success formula (4C x 3I x 2S x 0, as explained in the presentation).
A different approach is taken by Taco Mulder, CISO at CHU-UVC Brugmann-HUDERF, as determined by the infrastructure in his care: hospitals (‘Practical implementation of security in critical infrastructures’). His business risks pertain to patients, employees and hospitals; with required protection of data both in IT systems and on paper! And yes, hospitals are hot targets for attacks due to the nature and value of the data involved (attackers deem hospitals to be more willing to pay a stiff ransom when literally vital data are unavailable through malicious encryption). Taco Mulder takes it from the top down (from top management) through Cobit 2019 design factors, working his way down through all layers to all stakeholders in the hospitals.
The framework he applies is the NIST framework, appropriate for critical infrastructures. Of critical importance is the RACI model (Responsible, Accountable, Consulted, Informed) in order to be clear about where responsibility resides, complemented by the certainty that everybody everywhere is on par regarding security understanding. Next is risk management in all its aspects, requiring among others plenty of walking around and talking to people; tackling security needs in a sensible (and affordable) way and establishing cooperation (e.g. between IT and HR). Finally, it is a matter of instigating and maintaining an information security programme. With yet another vital final piece of advice: start immediately with an incident response programme, now!
An intriguing question: how to move hospitals from putting safety ahead of security, of Covid ahead of Cobit? Explain the added value of security and Cobit, make a solid business case for security! And interesting: yes, Taco Mulder prefers to combine the roles of CISO and DPO!
The third speaker, Gaël Hachez, Director Cyber & Privacy Department of PwC Belgium, highlights a clear trend in Belgium at both large and small(er) companies towards a ISO 27001 certification (‘Why and how implement an information security management system’). Clearly, even smaller companies see 27001 certification as a less onerous way of fulfilling more stringent security requirements. Indeed, large companies are increasingly demanding proof of solid security postures throughout more segments of ‘chains’, causing a ripple down effect. Actually, companies don’t need to follow a standard for their security, but a standard does provide structure and helps you not to neglect important aspects. Also, standards may be obligatory (e.g., CMM-C for companies aspiring to do business with the US DoDefense).
As a result, this presentation rather took on the format of a tutorial on how to get a 27001 certification, discussing the many steps and potential pitfalls. Starting with an absolute cornerstone: do appoint an ‘owner’. Further down the line, expect the asset inventory to provide most (or at least many) choking points. Risk management must be discussed with top management and yes, they probably will (initially) demand ‘no risk’ without a price tag.
Pay attention to the ‘statement of applicability’, as it is a must for certification. Do invest in awareness training. It will take many steps before you actually get to putting your information security management system into operation. Get through the certification process and understand that probably there will yet deficiencies. This is acceptable, provided there is a roadmap for continuous improvement. And here a final piece of advice as well: smash the company siloes and integrate multiple risk assessments into one assessment.