It is essential to have a general framework in which to set all the subprocesses associated with Security Management. Its complexity and intricate interrelationships call for a clear global policy defining aspects such as the objectives, responsibilities and resources.
In particular the Security Policy has to define:
- The relationship with the general business policy.
- Coordination with other IT processes.
- The protocols for access to information.
- The risk assessment procedures.
- Training programmes.
- The level of monitoring of security.
- What reports need to be issued periodically.
- The scope of the Security Plan.
- The structure and people responsible for the Security Management process.
- The processes and procedures employed.
- The people in charge of each subprocess.
- The internal and external security auditors.
- The necessary resources: software, hardware and staff.
The aim of the Security Plan is to set the levels of security that need to be included as a part of the SLAs, OLAs and UCs.
This plan has to be drawn up on cooperation with Service Level Management, which is ultimately responsible for both the quality of the service delivered to customers and the service received by the IT organisation and external suppliers.
The Security Plan has to be defined in such a way as to offer a better and more secure service to customers and never as an obstacle to developing their business activities.
Whenever possible, key metrics and indicators should be defined to allow the agreed levels of security to be evaluated.
An essential aspect to take into account is establishing consistent security protocols covering all the phases of the service and all the levels involved. "A chain is only as strong as its weakest link", so it makes no sense, for example, to establish strict access standards if an application has vulnerabilities to SQL injections. This may enable you to fool some of your customers for a while by giving them an image of strength, but this will be worth little if someone discovers that the back door is open.