Common case in mid-size or big organizations, nowadays even in small-size companies, is that company employs one or more security experts to deal with security issues, e.g. ISO (Information Security), PSO (Physical Security), TSO (Technical Security), etc.
Their goals are covering wide aspect of activities related to
- implementation of internal and external security standards
- identification and systematic treatment of security GAPs
- processing incident cases
In essence, they are dealing with numerous projects but also with small-size tasks, they assign particular requests to responsible parties (e.g. implementation of specific IT controls, necessary security devices, etc.) and then perform continuous follow-up activities until particular issue or GAP is closed. They perform periodic test of these controls, resulting in their output usual Security Reports, Incident Reports and similar.
Each Report typically consists of rough description of expected controls, details on identified exceptions (incompliances) and the measures/actions that should be undertaken to eliminate or minimize risks. They also apply risk grading on similar or the same way as Audit or Risk Departments, usually using the common risk methodology. After the Security Report is accepted by the Management, actions need to be performed accordingly.
What makes efficient Security Management is way of dealing with the issues, controlling and closely monitoring of the implementation or accepted corrective measures. There are rare cases when this follow-u process is fully transparent to the Management, since usual way to deal with the issues is email correspondence, in rare cases some closed ticketing system typically not available (and also not much interested) to the Management.
This is the point where FURIA can turn the things right way.
Similar to Audit or Compliance Reports, the way of treatment security issues can be improved to provide comprehensive controls over the security processes in a same manner and on the same functionality level as for other types of information.
Since organization of security processes requires some changes to the way how Audit or other control units communicate their issues with other units, it can be applied separate Security Hierarchy in the same FURIA environment. Security issues are then standardized in atoms modified to apply uniform way of dealing with these type of issues.
Reporting system is very similar to Audit follow-up and it can be additionally optimized to target prime targets of CSO or PSO. Usually, there is not much tolerance when dealing with security issues, which makes thinks even more demanding in terms of realization of actions. Deadlines are usually more tight than with the other control units and there is also aspect of personal responsibility when dealing with the incidents.
Strong security access encapsulation is critical, to preserve sensitive information disclosure to employees which are not authorized to access particular data. Thus, usual case is that Hierarchy is more flat that in case of Audit or Compliance information.
The critical thing regarding Security is ability to gather relevant information from different sources into efficient and meaningful Security Reports, including audit and compliance reports, risk assessments, GAP analysis, etc. Also, by referring to particular internal procedures and standards, CSO are able to closely monitor identified security deviations from different sources and by internal/external parties that use different methodology.
Example of Security Report addresssing implementation of PCIDSS v3.0 Standard:
That enables the Management to have better insight into overall state of corporate security, real-time monitoring of implementation efficiency and timely identification of critical and important issues that require management attention. It is possible to easy identify points of risk concentration in early phases and react timely, before the problem escalation.
FURIA provides the same or higher functional level of controls applied in other areas of follow-up monitoring. Comprehensive reporting ensure uniform approach in implementation and monitoring of control deficiencies.