Devising a Security Architecture
So what’s the best way to come up with a security architecture? The most important question to consider is how much to rely on staff from within your company and how much to rely on outside consultants. Security, as we have seen, is all about risk management, and this entails sorting out what is mission critical, what is valuable, and what is merely important.
It’s clear that staff from within an organization are in the best position to understand how the business works and how the underlying processes affect each other, but it’s also important to understand that outside consultants may be more objective and are likely to have a greater specialist knowledge of security than existing IT resources. So while internal resources need to be involved at every level to ensure that the key components are being protected, consultants can be the best option for ensuring that the knowledge of risks and how to respond to them is up to date.
The U.S. Department of Defense-funded CERT (Computer Emergency Response Team) coordination center recommends the use of a methodology called OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), a risk-based strategic assessment and planning technique for security.
“OCTAVE is self-directed. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy,” says CERT.
Self-direction of the security audit is key, believes Ted Wilke, CEO of Pittsburgh PA-based information security consultancy DMZ2. “Often companies get outsiders to take an audit and then don’t implement the results, as they just don’t buy into it,” he says. “If internal people carry out the audit, then it’s much more likely to get to the real issues, and it’s far more likely that the results will be implemented.”