In the field of offense and defense, the defender is inherently in a disadvantaged position, and must use limited resources to fight against unlimited unknown threats. In security activities, are you acting as a firefighter, or are you formalizing security procedures, and in the face of threats, are you methodically and quietly turning them into danger?

At present, many safety leaders are working on their safety management plans for 2021. A process-centric approach to safety management can effectively improve the efficiency and effectiveness of safety management. But how should corporate security leaders manage their processes? There are three main steps:

Develop a security process catalog that articulates the expected state of the process to be achieved.

According to the security process catalog and the resource status of the enterprise itself, the priority of the security process is selectively determined.

For security processes that have been identified to be prioritized and implemented, formalize these prioritized processes by evaluating existing processes, segregation of responsibilities, formalization, and resource allocation.

Develop a catalog of security processes

To carry out effective security process management, it is first necessary to formulate a security process catalogue and identify the security processes to be implemented and gradually developed in the next 2-4 years. The following figure lists a detailed information security process scenario model.

　　Figure 1: Example of a Security Management Process Scenario Model

Governance Process – A security governance process ensures that reasonable and appropriate measures are taken to protect an organization’s information resources in the most effective and efficient manner to achieve its business objectives. Although the governance process is an integral part of the overall security process model, it is usually not the responsibility of the security department.

Planning Process – Planning processes tend to be cyclical rather than continuous, and typically cover strategic activities related to the management of an organization’s security program, including strategy development, annual planning, security architecture design, and more.

Construction Process – The construction process is related to the establishment of a security ecosystem, and includes three interrelated processes: control measures and policy management, process management, and system integration.

Operational Processes – Operational processes include the processes that support the relationship between the security team and the rest of the organization (interaction processes) and those that govern day-to-day security (protection processes).

The security process management solutions listed in the figure above are very detailed and involve a wide range of specific implementation processes, which are more suitable for large organizations with relatively mature security plans. For organizations with early-stage security programs or resource-constrained organizations, focus on safeguarding processes within operational processes.

　　Prioritize security processes

For most organizations, the security process is formalized and must be identified and implemented from the ground up. Instead, it needs to be modified and adapted based on the stage of development and maturity of the existing process.

Few companies can implement a complete process solution at once. A more realistic approach is to prioritize individual security processes and formally implement them in stages. Factors to consider when prioritizing individual processes include:

Which security processes are necessary for the organization to achieve minimum security standards.

What existing processes and activities can be updated and improved.

For those existing processes that clearly address significant risks, formalizing those processes should be a priority.

New process ideas that can significantly improve risk management in the short term should be prioritized.

Whether there are the required knowledge and technical resources to formalize a particular process.

The current stage and maturity of the information security program (attempting to implement a security architecture process without proper governance and organizational capabilities may be counterproductive).

　Formalize security procedures

For a specific process, the first step is to determine process ownership and then begin documenting each process. The process of formalizing the process should include the following:

Process Description – Outlines the process goals and scope.

Flowchart – includes the sub-processes that make up the process and the workflow between the activities. In the beginning, this may be a simple model that can later be decomposed into a multi-level model with more detailed information as needed.

　　Figure 2: Schematic diagram of the security incident response process

Integration Matrix – Shows integration points and interrelationships with other security, operations, and service management processes. In addition to integration points between processes, the integration matrix should identify other processes that make up that process (for example, the risk assessment process is a key part of the business continuity management process).

　　Figure 3: Schematic diagram of the process integration matrix

Skills and Staffing Needs – Indicates the amount and nature of direct and indirect human resources required for the process. If the required skills or resources are not available within the organization, it should be highlighted.

Role and Responsibility Definitions – Identify specific organizational functions that contribute to the process and the respective responsibilities of those functions. This is usually achieved through the Assignment of Responsibilities (RACI) matrix.

Metrics to measure and track process performance – More operational or managerial processes (eg, user provisioning) are better candidates for metrics than strategic processes (eg, risk management). Process metrics include service request turnaround time when access control changes are made, or average critical patch implementation time when patch management processes are made.

Automation – Identify which process components can be automated through technology.

　What security procedures must be done?

Certain processes are critical to effectively managing security and are often considered fundamental security practices. While these processes are not all required for a mature security program, they are basic processes that must be implemented to meet basic security standards.

The following six processes are at the core of enterprise security and are usually the responsibility of the CISO, some of which may not be performed by the security team but should be managed by the CISO.

Security Governance: Consists of functions and processes that ensure the right measures are in place to balance the need to protect an organization’s security and business operations.

Policy management: Identifying and documenting the specific situation of the enterprise with respect to security risks that must be controlled to meet the enterprise’s risk appetite

Publicity and education: Through publicity and education, safety awareness can be raised to a certain extent and help reshape a safer corporate culture

Identity and Access Management: The systematic management of user identities and access throughout the life cycle of an organization, including processes for administration, access (i.e. authentication and authorization), and intelligence (i.e. auditing and analysis).

Vulnerability Management: The process of identifying, assessing, and resolving security vulnerabilities in an enterprise, with a focus on an organization’s technology infrastructure

Incident Response: The level of damage caused by an incident depends heavily on the quality of the response, so it is critical to have a good incident response process

　　write at the end

In the face of the natural asymmetry in the field of attack and defense, when the scale of the enterprise is small and the development of the security defense system is not sound, it may be a last resort to adopt a temporary firefighting strategy; As it matures, security leaders should consider more effective ways to manage security. A process-centric approach to safety management can effectively improve the efficiency and effectiveness of safety management. It should be an important link that corporate safety leaders cannot ignore when planning safety management for the new year.

Starting from a detailed security process solution model, this paper introduces the four major categories of security processes that organizations should implement—governance process, planning process, build process, and operation process, and then describe how to prioritize these processes and how to formally These procedures are stipulated, and finally, the security procedures that organizations should implement to meet the minimum security standards are pointed out. It is hoped that through effective security procedure management, the effectiveness of the enterprise security defense system can be improved.