Establishing an information security program is much like building a large structure; for both, you need a solid foundation without which the entire effort will crumble. When establishing a system for information security, that foundation needs to set on five crucial risk management practices or pillars: protection, detection, reaction, documentation and prevention.
Protection. In order to minimize our information security risks, we need to ensure that we clearly define and precisely know what we are protecting, how we plan to protect it and its overall value. In this regard, the protection pillar is one of the first and most crucial for information security. Mistreatment of its correct definition and implementation will result in either a false sense of security or a waste of finances (which has a higher risk rating associated with it than the actual insecurity itself). Building a garage that is worth twice as much as the automobile placed inside it is obviously not a feasible protective measure either. Measuring and maintaining the protection pillar addresses the first and most basic step in minimizing any information security risk.
Detection. No matter how strong our protective measures are, there will be both internal and external breaches of it. The most challenging aspect of the detection pillar is to recognize the vulnerabilities that are not known to the company and/or suppliers of our technologies. The preferred approach in defining the detection pillar is to recognize the static and dynamic detection capabilities available. Static capabilities refer to a database of known past events for comparison, and dynamic events refer to patterns or trends of behavior that are considered unexpected or unaligned with requirements.
Reaction. The next pillar in a sound information security risk management strategy hinges on the actual actions that should already have been planned and put in place to address breaches that have occurred. In many organizations, the correct implementation of the reaction pillar has a significant importance well beyond the actual reaction to the exploited vulnerability. One example would be the capability to capture the “purity” of the exploit in its original form for legal submission to court.
Documentation. Unfortunately, this pillar is rarely given enough importance and adherence. As a result, when there is a major collapse in information security, it is often because this particular pillar did not have the proper support to carry its load. This pillar holds significant importance for reducing risk in the other pillars. It is the documentation pillar that enables the establishment of vulnerability trends that could influence our risk ratings in the future.
Prevention. Our last pillar deals with the latest concept used in information security. One that in its current form of use, could also contribute towards a false sense of security. While it is clear that we can protect against risk to some extent, can we really prevent risk entirely? Of the two basic problems that rely on prevention, the first is that information security risks are multifaceted in nature, which implies that a virus arriving via e-mail, for example, may not only infect the local system but could also install a backdoor for unauthorized access to the network that can be connected to the utility provider of another country. The second problem is that true prevention requires the elimination of risk (i.e., stopping its occurrence) The only way to do that is to control most, if not all, components of the event. Not an easy task. That said, practical prevention is both the implementation of lessons learned and the application of knowledge gained to avoid the same fate in the future. The prevention pillar is the readjustment and improvement required for the healthy maintenance of any system.
Putting these pillars into place is just the first step of crafting any kind of information security protocol. It may well be the most important step—as everything else you do will eventually rest on the foundation you lay down in the beginning. Every reinforcement, every room and every wall you build on top of this foundation relies on these five pillars to bear the strain. Should any of them crack, your entire information security design may crumble as well.
Amir Ameri is a Zurich, Switzerland-based researcher and consultant specializing in risk management and risk analysis for information security and technology.