Security Management

Introduction and Objectives

The main objectives of Security Management may be summarised as:

• Designing a security policy (in collaboration with customer and suppliers) that is aligned with the needs of the business.
• Ensuring compliance with the agreed security standards.
• Minimising the security risks threatening continuity of service.

Proper Security Management is not the (sole) responsibility of "security experts" who are unaware of other business processes. Falling into the temptation to establish security as a priority in its own right can limit the business opportunities offered by the flow of information between the different players involved and the opportunity to open up new networks and channels of communication.

Security Management needs to have an in-depth knowledge of the business and the services the IT organisation provides in order to establish security protocols ensuring that the information is accessible when needed by those people with authorisation to use it.

Once the business's security requirements have been ascertained, Security Management must oversee that these are correctly set out in the relevant SLAs so that fulfillment of them can be ensured.

Security Management should also take into account the general risks to which the IT infrastructure is exposed, and which are not necessarily stated in an SLA, so as to ensure, as far as possible, that these risks do not represent a danger to service continuity.

It is important for Security Management to be proactive and evaluate in advance the security risks that may arise from changes made to the infrastructure, new lines of business, etc.

The main benefits of proper Security Management are:

• Interruptions to service caused by viruses, computers being hacked into, etc. are avoided.
• The number of incidents is minimised.
• Information is accessible when it is needed and data integrity is preserved.
• Data confidentiality, and the privacy of customers and users, is preserved.
• Regulations on data protection are complied with.
• The perception customers and users have of the quality of service, and their confidence in it, is improved.

The main difficulties when implementing Security Management may be summarised as:

• There is insufficient commitment to the process from all the members of the IT organisation.
• Excessively restrictive security policies are established, with a negative effect on the business.
• The tools needed to monitor and guarantee the security of the service (firewalls, antivirus software, etc.) are not available.
• Staff are not given adequate training to be able to apply security protocols.
• There is a lack of coordination between the different processes, making it impossible to evaluate the risks properly.