For many IT organizations, security is run as a sprawling mess across multiple technical teams, providers and applications development staff. Many operate with overlapping responsibilities and sometimes unclear boundaries of responsibilities. Examples of these include:
- Managing security by Platform (e.g. OS, Cloud, Database, etc.)
- Operating with many tools – many times replicating similar functions
- Confusion over where specific security functions can be found (business must work across multiple organizations to get basic access, deal with a security issue, etc.)
- Unclear accountabilities – not always sure which support team should be used to do what
- Tool driven responsibilities - teams are organized by specific tools versus security outcomes
Presented here is an approach to inject sound service management operating strategies, responsibilities and approaches. In other words, treat Security as a set of strategic services versus “something technical people do”.
Here is a set of recommended security services (for your Service Catalog):
- Audit and Testing Services
- Patch Management Services
- Virus and Intrusion Protection Services
- Physical Site Security Management Services
- Mobile Security Services
- Data Security Services
- Identity Management Services
- Access Management Services
- Privacy Management Services
- Security Monitoring and Reporting Services
- Presence Support Services
- Security Training and Communication Services
- Security Design and Architecture Management Services
- Application Security Control Services
- Protocol Management Services
- Directory Management Services
Each of the above services operates with a consistent set of flow activities that may look like the following:
Each service operates with a standard set of roles to build, operate and deliver their services. These roles operate across all platforms and tools needed to deliver them.
- Chief Security Officer (just one of these across all the services)
- Security Service Owner
- Security Operations Manager
- Security Analyst
- Security Administrator
- Security Architect
- Security Technician
A view of the responsibilities within each service can be seen as below (these can become service features published to the business in your service catalog) :
Audit and Testing Services
- Internal Audits
- Intrusion Testing
- Vulnerability Testing
- External Audit Support
- Regulatory Controls Validation
- Security Breach Investigation and Reporting
- Security Risk Assessments
Patch Management Services
- Security Patch Research
- Security Patch Communications
- Security Patch Installation
- Security Patch Validation
Virus and Intrusion Protection Services
- Security Risk Assessments
- Security Breach Response
- Virus Protection Services
- Intrusion Protection Services
- Virus Software Maintenance
- Virus Subscription Management
Physical Site Security Management Services
- Physical Site Security Surveillance
- Physical Authentication Management (e.g. Biometrics Management, etc.)
- Physical Access Management
- Badge Security Services
- Security Hardware Hosting and Management
Mobile Security Services
- Network Security Support
- Mobile Device Security Management
- Enterprise Mobility Management
- Mobile Threat Management
- Mobile App Security Assessments
- BYOD (Bring Your Own Device) Management
Data Security Services
- Data Policy And Control Management
- Data Classification Management
- Data Risk Auditing
Identity Management Services
- New Account ID Creation
- Account ID Removal
- Account ID Security Setup
- Password Management
- Certificate Management
- Account Records Maintenance
Access Management Services
- Grouping Assignments
- Access Rights Assignments
- Access Profile Maintenance
- Access Control List (ACL) Management
- Password Synchronization
Privacy Management Services
- Electronic Policy Creation
- Electronic Policy Maintenance
- Automated Policy Enforcement
- Policy Compliance
Security Monitoring and Reporting Services
- Security Event Monitoring
- Security Event Logging and Reporting
- Security Event Escalation and Communications
- Security Communications (Internal and Public)
- Executive Security Reporting And Dashboards
Presence Support Services
- Federated Security Management
- Trusted Partner Support
- B2B Management and Control
Security Training and Communication Services
- Security Training Content Development
- Security Training Delivery
- Security Training Administration
- Content Screening Review and Approval (e.g. public/private web pages, corporate communications, etc.)
Security Design and Architecture Management Services
- Security Architecture Management
- Security Design
- Cloud Security
- Firewall Architecture and Design
- Firewall Maintenance and Management
- Proxy Architecture and Requirements
- DMZ Operations
Application Security Control Services
- Application Security Standards Management
- Application Security Validation
- Application (API) Security Interface Management
- Application Security Policy Compliance
Protocol Management Services
- Encryption Support
- VPN Support
- Secure Transmission Management
Directory Management Services
- Directory Administration
- Directory Integration
- Directory Management and Control
- Directory Software Installation and Maintenance
You may also wish to establish a comprehensive security architecture that will underpin how security services are supported and delivered. Such an architecture can be populated with the myriad of security tool sets and solutions to organize these better. The architecture might look like the following example:
While the list of security services may look a bit daunting at first, smaller organizations may wish to combine some of these together. It is hoped that by standardizing around the services, operating roles and architecture, much of the “mess” around security management can be better controlled and operated.