|
It is well known that the cost of making significant changes to systems increases disproportionately during the development process: late changes can be very expensive indeed. Perhaps less obviously, the effectiveness of changes decreases during the lifecycle since late changes are more constrained by the rest of the system (just imagine trying to change the width of a bridge after the bridge piers have been built!). The same is true of information security controls. Generally speaking, the most cost-effective and efficient information security controls are designed into the systems architecture from scratch rather than being tacked-on later. A solid, comprehensive and well-documented system security design or architecture based on a rational analysis of the risks therefore provides the ideal basis from which to develop and test a system’s information security controls.
Working in conjunction with project staff and management on a major development project, we can:
-
Analyse the information security risks relating to the system and its operational environment, identifying key risks to the organization that justify supplementing general ‘baseline’ security controls with specific additional control measures
-
Specify the specific information security control objectives in functional or business terms (e.g. “Due to the projected costs, the system must not fail during core business hours (estimated cost = $X per hour for prime-time outages), and should normally be available round-the-clock on weekdays (estimated cost = $Y per hour for out-of-hours failures.”).
-
Specify the corresponding system, procedural, management and physical controls in technical terms (e.g. “In addition to the following high-availability controls, on-line incremental backups will be required during weekday overnight slots, with off-line full backups scheduled at weekends.”).
-
Document the complete set of risks, control objectives and controls as a coherent information security design, with appropriate references to standards such as ISO/IEC 27002, C OBIT and ISO 20000 (~ITIL) as well as internal company materials.
-
Ratify the design by looking for any missing control objectives (sometimes entire classes of controls are innocently forgotten!) and reviewing the controls against the projected risks and control objectives, identifying in conjunction with IT and business people the assumptions, flawed/valid logic and any gaps.
Our consultants’ professional experience of information security including ISO27k helps us suggest suitable controls, and can identify situations where proposed controls fall short of the requirements, or in rare cases exceed them. Call IsecT to help design cost-effective information security controls that will minimise inacceptable risks to your business.
|
