A security assurance program that focuses on business needs can help organizations meet the needs of business stakeholders, according to a new report released by Information Security Forum (ISF).
The report, Establishing a Business-Focused Security Assurance Program, offers organizations ways to establish a security assurance program that takes a business-focused approach by “identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.”
Given that implementation of security assurance programs vary significantly among businesses, the report is an effort to formalize the structure through four strategic objectives:
-
Identifying the specific needs of different business stakeholders
-
Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
-
Reporting on security in a business context
-
Leveraging skills, expertise and technology from within and outside the organization
“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected by focusing on how effective controls are,” said Steve Durbin, managing director, ISF, in today’s press release.
“A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”
“In today’s fast-moving business environment, filled with constantly evolving cyber-threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,” continued Durbin.
“Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality.”