, ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.

 

To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *