12 Apr Selecting your Core Activities in your First 100 Days
Once you’ve gotten a good understanding of the Mission Essential Functions (MEFs) of the business (refer to my previous article here), you should start thinking about the processes that will be foundational to your security program for the next 2/3 years. Your core activities are your must have’s, your basics, they are aimed at mitigating your business’ highest risks and are instrumental in iteratively maturing your posture in the future.
My go-to frameworks for identifying my core processes are:
- the Information Security Domains identified in Annex A of the ISO 27001 standard;
- the 5 Functions making up the NIST Cyber Security Framework;
- the CIS 20 Controls are more of a reference point that I use to ensure that activities chosen will cover critical controls.
I highlighted how each of these frameworks serve their own purpose when selecting these processes, in the below sections.
The 14 ISO 27001 information security domains
- I usually select my processes directly from these domains. ISO refers to 14 different domains and 114 controls. In your first 100 days you should start by choosing your most critical processes and then focus on the rest iteratively.
- I would not suggest having more than 6 foundational processes for your/your team to manage. These will be the processes that 3 years down the line, you should be able to continue building on and referring to. Other processes you add to your program, should act as an addition to your core activities.
- The selection of your core processes highly depends on your organisation’s strategic services and operations.
- In understanding your Mission Essential Functions of the business, you should have started to gain an understanding of the highest business risks i.e. the risks that will impact your business’ bottom line.
- For example, if you are working in a digital business you will be facing very different risks to a manufacturing organisation.
- The foundational activities that you choose should target the mitigation of the business’ highest risks and the protection of its most critical assets. Your business’ MEF’s are dependant on these critical assets.
The 5 Functions making up the NIST Cyber Security Framework
5 Functions are: Identify; Protect; Detect; Respond; Recover
- Together these five functions make up a continuous cycle. All 5 functions need to be practiced across an organisation, in order to gain a holistic level of information security.
- The five functions highlight the need for a balanced selection of processes. (Refer to my article on balancing your selection of controls, for more detail on this).
- When selecting your core processes, refer to the five functions to ensure that you are considering processes that will offer a balanced controls framework.
- Ensure you include governing processes that allow for the identification of your core assets and continuous assessment of your risks. Include processes that will include the protection of your assets, but also keep in mind that there is no such thing as perfect protection and therefore monitoring and detection are key.
- Finally should your protection fail and a detected threat is successful in causing an incident, you want to be able to meticulously react to the event and minimise the impact by optimised response, but also through mindful recovery.
Your processes will require a choice of balanced controls to work and so referring to the top 20 CIS controls and the controls defined in Annex A of the ISO 27001 standard, will always help.
My Go-to Processes
My recommendation is to always have the following processes in place (I’ve referenced the domain that includes these processes in ISO 27001):
- [D.4] Policy Management – This can also be in the form of Guidelines and Principles, depending on the culture of your organisation. Whatever you call them, make sure your colleagues know what is expected from them in the most basic of terms. Keep your policies as live documents that reflect the current business processes.
- [D.9] Identity and Access Management – Managing the identity of your employees has become crucial if you want to protect your information, and still offer employees flexibility to work comfortably from anywhere. This activity encapsulates controls that will make sure only authorised users have access to your information. I would say it is the most foundational of all activities.
- [D.7] End User Awareness – Build an awareness program that provides your organisation with regular reminders of how they should be acting securely. The program should follow an employee’s journey from joining, throughout promotions and departmental moves, up until they leave. I always prioritise measuring my awareness program, usually starting off with regular Phishing Simulations (albeit not the only KPI you will need to measure your company’s level of awareness, it should be a good start).
- [D.11] Physical and Environmental Security – The most secure technology will not be enough if anyone can roam around your premises and get their hands on laptops or easily enter server rooms. Keeping your server rooms protected, but also ensuring that your equipment and the conditions in your server room are in tact should always be a priority. If you’re unsure on the importance of this, take the burning down of OVH as a lesson learnt.
- [D.12 & 16] Incident Detection and Reaction – Whilst logging might be the responsibility of other teams, it is key that you identify what needs to be logged, in order for your team to set up actionable monitoring and alerting on your critical assets. For each alert you should create a step-by-step procedure on how to respond. This will reduce the risk of alert fatigue, through too many unnecessary alerts, but also ensure timely response to potential attacks.
- [D.14] Vulnerability Management – This can include an endless list of controls, especially if you are working in a digital business. What I would recommend here is to start by understanding the attack surface of your organisation, where can vulnerabilities be most dangerous. Get those applications, networks, infrastructure tested, to gain baseline knowledge of the landscape. Then aim to have a testing plan, but also time-to-fix requirements for your tech teams to mitigate vulnerabilities based on severity (ideally discussed with them first 🙂 ).
- [Domain 8] Asset Management – From my experience, ownership of this process does not usually lie with the information security team. However governing this process (e.g. start with highlighting requirements in a policy) will be critical to effective controls. It is essential to identify the assets you are protecting, but also their owner, criticality and what processes circumvent the asset.
Whether you are starting to build an information security program from scratch, or you are taking over from your predecessor, you should decide and document in detail, your selected core activities. If some or all of them have already been formally put into place, or are being practiced in ad-hoc, your next step should now be to identify the maturity of the processes. Perform a gap assessment so you can plan with intention and make informed decisions that can add value. Your gap assessment should identify what controls have been put into place for each core activity, and whether the control is working as intended. It will help you build a concrete plan for your foreseeable future.
Follow this space on more insight on why and how to conduct a gap assessment, and use it to start deciding on your next steps for the year.
If you are a new leader and are looking for someone to discuss your ideas and your next steps with, feel free to contact me on firstname.lastname@example.org or fill in the form here, and I will get back to you.