Security level management
Security Level Management (SLM) comprises a quality assurance system for electronic information security.
The aim of SLM is to display the IT security status transparently across a company at any time, and to make IT security a measurable quantity. Transparency and measurability form the prerequisites for making IT security proactively monitorable, so that it can be improved continuously.
SLM is oriented towards the phases of the Deming Cycle/Plan-Do-Check-Act (PDCA) Cycle: within the scope of SLM, abstract security policies or compliance guidelines at a company are transposed into operative, measureable specifications for the IT security infrastructure. The operative aims form the security level to be reached.
The security level is checked permanently against the current performance of the security systems (malware scanner, patch systems, etc.). Deviations can be recognised early on and adjustments made to the security system. SLM falls under the range of duties of the Chief Security Officer (CSO), the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO), who report directly to the Executive Board on IT Security and data availability.
SLM is related to the disciplines of Security and Security Event management (SIEM), which the analysts Gartner summarise in their Magic Quadrant for Security Information and Event Management, and define as follows: "[…] SIM provides reporting and analysis of data primarily from host systems and applications, and secondarily from security devices — to support security policy compliance management, internal threat management and regulatory compliance initiatives. SIM supports the monitoring and incident management activities of the IT security organization […]. SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. […]"
SIM and SEM relate to the infrastructure for realising superordinate security aims, but are not descriptive of a strategic management system with aims, measures, revisions and actions to be derived from this. SLM unites the requisite steps for realising a measurable, functioning IT security structure in a management control cycle.
SLM can be categorised under the strategic panoply of IT governance, which, via suitable organisation structures and processes, ensures that IT supports corporate strategy and objectives. SLM allows CSOs, CIOs and CISOs to prove that SLM is contributing towards protecting electronic data relevant to processes adequately, and therefore makes a contribution in part to IT governance.
The Steps towards SLM
Defining the Security Level (Plan): Each company specifies security policies. The executive management defines aims in relation to the integrity, confidentiality, availability and authority of classified data. In order to be able to verify compliance with these specifications, concrete aims for the individual security systems at the company need to be derived from the abstract security policies. A security level consists of a collection of measurable limiting and threshold values.
Example: operative aims like "the anti-virus systems at our UK sites need to be up-to-date no longer than four hours after publication of the current definition" need to be derived from superordinate security policies like "our employees should be able to work without being interrupted."
Limiting and threshold values are to be specified separately and individually for different sites, locations and countries, because the IT infrastructure on-site and any other local determining factors need to be taken into consideration.
Example: office buildings in the UK are normally equipped with high-speed dedicated lines. It is wholly realistic here to limit the deadline for supplying all computers with the newest anti-virus definitions to a few hours. For a factory in Asia, with a slow modem link to the web, a realistic limiting value would have to be set that is somewhat higher.
The IT control manual Control Objectives for Information and Related Technology Cobit (CobiT) provides companies with instructions on transposing subordinate, abstract aims into measurable aims in a few steps.
Collecting and Analysing Data (Do):Information on the current status of the systems can be gleaned from the log file and status reports provided by individual anti-virus, anti-spyware or anti-spam consoles. Monitoring and reporting solutions analysing software applications from all software houses can simplify and accelerate data collection.
Checking the Security Level (Check): SLM prescribes continual reconciliation of the defined security level with the current measured values. Automated real-time reconciliation supplies companies with a permanent status report on the security status across all locations.
Adjusting the Security Structure (Act): Efficient SLM allows trend analyses and long-term comparative assessments to be made. Through the rolling observation of the security level, weak spots in the network can be identified early on and appropriate adjustments made proactively in the security systems.
Besides defining the specifications for engineering, introducing, operating, monitoring, maintaining and improving a documented information security management system, ISO/IEC 27001:2005 also defines the specifications for implementing suitable security mechanisms.
The IT Infrastructure Library (ITIL), a collection of best practices for IT control processes, goes far beyond IT security. In relation, it supplies criteria for how Security Officers can conceive IT security as an independent, qualitatively measurable service and integrate it into the universe of business-process-oriented IT processes. ITIL also works from the top down with policies, processes, procedures and job-related instructions, and assumes that both superordinate, but also operative aims need to be planned, implemented, controlled, evaluated and adjusted.
- Summary and material from the German Chapter of the ISACA - German
- 4.0 Deutsch.pdf Cobit 4.0 - German
- ISO/IEC 27000
- The ISO 27000 Directory
- International Organization for Standardization
- "ITIL and Information Security" (ITIL und Informationssicherheit), Federal Office for Information Security (BSI), Germany - German
- "How ITIL can improve Information Security", securityfocus.com – English
- Official ITIL website of the British Office of Government Commerce - English