SEIS Report Development (State of Enterprise Information Security)
Objective: To produce a report about the state of information security within the organization. This report is a snapshot of the current state of the organization in terms of deployment of technical and organizational measures regarding information security.
The findings discovered during the analysis of the data collected in the previous phases are fed into the SEIS (State of Enterprise Information Security) report. The objective of the report is twofold: first, to provide a global and detailed overview of the state of the organization regarding information security. The second objective, not less important, is to indicate the improvable aspects on information security, and to propose corrective actions, prioritized according to their importance for the organization.
The SEIS report comprises the following sections:
Description of Current State
This section describes the findings of the analysis of all the data collected previously, as well as the current state of communication networks and information systems within the organization. A possible structure for this section is described next:
- Topology: description of network topologies within the organization. Collection of physical and logical diagrams.
- Systems: inventory and characterization of public and private services within the organization.
- Physical Security: description of deployed physical security measures in the organization's premises.
- Logical Security: description of logical security measures deployed for protection of the security systems within the organization.
- Management and Operations: list of policies and procedures about management of information systems within the organization.
Analysis and Technical Recommendations
Each one of the subsections of the previous section, and following the same structure, includes a review of the existing implications for information security, and recommendations to solve the problems that have been found.
Conclusions and Action Proposals
In this section, the recommended actions from the last section are prioritised using a scale based on the critical level of their application. This critical level is assigned according to the amount of risk that the non application of that action will cause to the organisation. The calculation of risk is not always objective (i.e. monetary loss); in many cases it depends on other considerations specific to the organization.
Special attention should be paid to actions marked as extremely urgent, because they imply a high and immediate level of risk that cannot be taken by the organization. Every recommended action is given a proposed time frame for its execution. An example of classification levels is proposed next:
- Critical: immediate deployment
- High: deployment finished in three months
- Medium: deployment finished from three to six months
- Low: deployment finished from six to twelve months
Security Measures and Recommended Controls
Additionally, a series of applicable measures and security controls is proposed, following recommendations from current good practice guides. IS2ME does not require the use of a specific methodology, yet its philosophy and objectives are in line with the ISO 27001 framework.
At this point it is recommended to identify and describe all the security measures and applicable controls proposed by the methodology that is going to be used. This way, this section of the report serves as reference for its subsequent implementation. In this IASAP phase every control is then further developed.
Executive Summary
In this section of the report, the executive summary lists the main results, such as risks run by the organisation due to the current deployment of information security measures. The language used is clear and avoids technical terms.
Special attention should be paid to this section, because it is probably the most visible across the organization, and therefore the one that may influence management support to both compliance with the proposed security measures and the gradual introduction of information security to the organisation's culture.
© Copyright 2007-2009 Samuel Linares / Ignacio Paredes