Today’s businesses are organic and constantly undergo change, requiring the utmost flexibility. Yet this often conflicts with the consistency and predicatability of security programmes. These disruptive forces may take different forms:
- Regulatory driven: The trend towards increased oversight, including possible conflicts between oversight requirements
- Technology driven: Mobile applications and wireless networking erode perimeter security: the movement of security functions from network to applications and the uncoordinated deployment of new technologies erode the traditional operational model
- Organisation driven: Increased use of technology changes the organisational model and allocation of responsibilities, mergers and acquisitions change governance models, outsourcing undoes operational assumptions, etc.
Any security framework (including governance model, organisation, roles and responsibilities and policies) thus needs to be resilient against these disruptive forces. A solid risk re-assessment framework and a technology-neutral approach to security policy (using acceptable use techniques) are just two mechanisms to cope with change.
To determine and improve the security of an application of a public administration that connects with other public administrations, Deloitte takes the following approach:
Define or refine the scope of your organisation's information security management system. Optionally, establish any national or EU classification of the data being exchanged or exposed.
Perform a solid risk assessment, prioritise the management of the identified risks and set the resulting security requirements. Depending on the scope and complexity of the applications, we may use a full-blown or simplified application of the Deloitte Risk Analysis, CRAMM, or EBIOS. The result is a Statement Of Applicability and the set of controls expected by the application and service. This risk analysis may incorporate the results of any vulnerability assessment.
Define and assist in the execution of corrective action plans (CAP), based on a gap analysis. Technical CAPs are defined using standards such as ISO 15408 and Deloitte/CRAMM/EBIOS; operational CAPs are defined using ISO/IEC 17799:2005.
After a six-month period of use, the information security management system established in the steps before, is ready for a formal audit and optionally certification against one of the public standards.
Our methodology is designed to support any or all of the four phases of our security services: Assess, Architect, Align, Attest.