Across all sectors of IT, projects are often managed through a lifecycle model, where a product goes through a cycle of improvement and upkeep with no endpoint. This is true for information security as much as any other IT sector.
The information security lifecycle serves as a core guide for daily operations for security professionals. Understanding the lifecycle model for information security planning gives professionals a guide that ensures continuous, evolutionary progress within a company's information security.
In this guide, we'll answer an essential question: what are the steps of the information security program lifecycle?
Foundations: Security policy and standards
Before we dive into the steps of the information lifecycle, we first need to discuss which core elements are needed.
An information security program lifecycle depends on a solid foundation. The foundation is the set of company policies and procedures upon which the security team will base its lifecycle process.
Clear and thorough policies and standards are essential core components of information security. Taking the time to put clear standards in place:
- Sets clear expectations: Policies and procedures create a clear framework that security teams can refer back to when analyzing and evaluating both existing systems and new systems. Instead of comparing systems and processes to a nebulous goal, they have a firm set of policies and standards for comparison.
- Creates cohesion: Many information security projects may operate separately on individual problem areas. Clear policies and procedures create a baseline that all teams can work from, which helps to minimize conflicting solutions and updates.
- Streamlines improvements: Detailed policies and standards establish a baseline that teams can refer back to when developing and evaluating systems and solutions, minimizing the need for back and forth between teams. This means that security teams can work more efficiently through the information security lifecycle. Depending on the policies and procedures your company has laid out, your information lifecycle may have a radically different foundation than another company's. However, despite these different foundations, company information security lifecycles tend to follow a similar step-by-step process. This process is outlined in detail in the following sections.
Step 1: Identify
The first step in the information security program lifecycle is to identify what items need to be protected. In an information security protocol, you can't protect what you don't know about. For this reason, identification is a key first step to ensuring the cycle covers all aspects of a network.
Identification primarily involves mapping the network you're working on. This should start at a high level then drill down to more granular details. This information helps your information security team understand the assets within a system and how they are related, as well as the resources currently available for information security protocols. Some of the key items the identification stage looks at include the following:
- The number of servers, routers, and other assets available
- The locations of physical assets
- The types of operating systems running on the network
- The number and type of applications and software running on systems
- The reach and importance of applications and software for each department
- The status of each computer and mobile device on the network
- Which assets are a top priority for your company
- The current infrastructure of security systems
Gathering this information involves performing an audit of the company's systems. Audits will typically start with a general overview and assessment of current tools and platforms. However, this audit should also involve interviews and internal discussions. Conversations with security professionals, IT staff, and individuals from other departments will help create a more thorough understanding of current systems, their interrelationships, their purpose within the company, and their importance within various departments. Additionally, external resources are often used during audits to provide an unbiased look at your company's posture, adding another layer to the information gathered in the audit.
Once the audit is complete, the information security team will have a thorough picture of the company's information security posture as it exists. This data is typically written up into a document and stored for later use and reference in the information security lifecycle.
Step 2: Assess
Once the information security team has thoroughly mapped out the organization's existing technology through the identification process, it’s time for the assessment phase. In the assessment step, security professionals take the information gathered from the identification process and perform a security assessment on all assets. This assessment process is one of the most extensive steps in the information security lifecycle and covers several areas, including process and system reviews, server reviews, and vulnerability assessments.
1. Process and system reviews
The first part of the assessment step is to review the current structure of the business. In this review, security professionals will look into the structures outlined during the identification process and collect more information to identify vulnerabilities. This can be a monumental task, especially for large enterprises, so it’s generally recommended to use one or more of the following methods during this phase of the assessment process:
- Focus on essential assets first: One way to handle the assessment process is to prioritize based on asset importance. Start the assessment process by focusing on assets that are the most vulnerable and the most critical to your organization's functionality. This will help identify the most important improvements early on so the security team can implement these improvements more quickly.
- Review from top to bottom:Another way to handle the assessment process is to work from high-level systems and drill down from there. By analyzing systems from the most general to the most detailed, security professionals can identify larger, more systemic problems first.
- Look for flags:Finally, the information security team may have identified red flags and concerns during the identification process. This includes outdated software versions, obsolete hardware, and feedback from employees. Teams can take these issues into account when performing the assessment process, as these flags can help identify smaller vulnerabilities early on in the assessment process.
When performing these assessments, information security teams continue collecting information about the resources analyzed. Some of the information the team may collect includes details about applications, how they're configured, where components are located, and how the application is used within the business. All of this data helps to develop thorough vulnerability assessments.
2. Server reviews
During the assessment process, teams will also conduct internal reviews of each server, including configurations and settings. The team will compare the server settings to policies and standards to ensure compliance, especially in the following areas:
- Password and user account policies
- User IDs, administrator accounts, and groups
- Web server configurations
- Log protocols and access
- Relationships to other servers
Like with the process and system reviews, teams will collect detailed information about each server, including problems and configuration settings. All of this information is needed to perform vulnerability assessments and evaluate servers and processes for potential updates.
3. Vulnerability assessments
Once the security team is done consulting and collecting information, they perform vulnerability assessments on each system. Vulnerability assessments utilize risk-management practices to create thorough analyses of each system's current and future risks.
During the vulnerability assessment process, security teams will generally focus the most effort on essential assets and areas where they flagged potential risk factors. During the vulnerability assessment, the team identifies all items of concern and asks essential risk-management questions, including:
- What level of risk is tolerable for each system?
- How prepared is each system for handling existing threats?
- How versatile is the system for handling new threats?
- Is data secured in the event of a natural disaster?
- What countermeasures exist for each device and service?
- What is the business impact of the system going down?
- Does the current security structure comply with industry, local, and federal regulations?
Once each vulnerability assessment is complete, the team documents the results for reference later in the information security lifecycle.
Step 3: Design
After the security team assesses all systems, it’s time to use the information they collected to design solutions and countermeasures. Based on the specific vulnerabilities and issues they identified in the assessment step, the information security team will brainstorm ways to resolve specific problems, including cybersecurity threats, security products, and information security culture and processes. Some specific factors teams will consider during the design phase include the following:
- Security layering:Design teams will consider security layering an essential part of the design. In this design protocol, multiple layers of defense protect each system, starting with general protective measures like firewalls and narrowing down to detailed security measures like multi-factor authentication procedures. Security designers should ensure that each system is protected by multiple security layers, especially critical systems.
- Compliance:Another consideration in design is compliance with mandatory obligations at the industry, local, and federal levels. Security structures developed during the design process should comply with any standards and legislation that apply to the company.
- Continuity:Business continuity is the ability of a business to maintain or recover service after an interruption or disaster. Your security team should design systems and processes with integrated backups and redundancies to ensure the company can quickly resume normal operation after the event.
- Area of effect:For each potential alteration, design teams need to consider what systems will be affected by the change. Some changes may have limited effect, while others may create more widespread change that affects multiple systems.
- Effectiveness:Finally, teams handling system designs need to consider any trade-offs between security and effectiveness. Maximum security may be the safest option, but the cost of achieving it may be prohibitive both in resources and in productivity lost to introduced inefficiencies.
Once the team has developed potential ways to resolve specific issues, they will analyze each solution in detail and create individual plans and blueprints for each change. These blueprints will include system configuration alterations, process changes, tools, and other factors, as well as how they will resolve the issue. The blueprint will also present an analysis of the effects of these changes, including procedural alterations, impacts on adjacent systems, and costs of implementation.
When the team finalizes their blueprints, they deliver their solutions to management and leadership, who make the final decision on a go-forward plan for each individual issue.
Step 4: Implement
After the design of a solution is approved, the next step in the information lifecycle is implementation. In this step of the process, the team creates an implementation plan for the solution and begins deployment. This implementation plan typically includes the following steps:
- Develop a change plan:Working off the blueprints developed in the design phase, the security team creates a step-by-step change plan. When possible, they focus on the most important areas first, then work down toward the least vulnerable areas. The change plan should also account for any personnel training needed to implement new procedures or policies.
- Create team roles:After developing a plan, the team assigns roles and responsibilities for individuals involved in implementing the changes. These individuals will likely include project managers, IT leaders, training teams, and any other specialists related to the changes being made.
- Acquire resources: Next, your team acquires the tools needed to implement the proposed changes. These may include security programs, network hardware, and software needed for implementing and maintaining the proposed changes.
- Test changes:Once they've acquired the necessary resources, the team performs tests to ensure the new resources work as expected. If any unexpected issues arise, they adjust the change plan as needed.
- Implement changes:After tests have validated desired results, and any alterations to the change plan have been finalized, the security team rolls out the new changes according to the plan. They also perform regular assessments and reviews during the implementation phase and make adjustments in the event of delays.
Of course, the implementation phase should also include any internal processes the company requires for major changes. These may include change management controls and quality assurance reviews.
Step 5: Protect
This step is closely related to the design and implementation steps but covers a slightly different scope. The goal of the protection step, also called the mitigation phase, is to validate your security measures to ensure systems match your established security policies and standards.
In this phase, information security planning teams review the system as a whole, combined with any new changes added during previous steps. This involves the following:
- Policies and standards:The security team ensures new and existing systems meet or exceed established security policies and standards.
- Security levels:The team checks that individual systems have an appropriate level of security for their importance. For example, core systems will have greater security than less critical systems.
- Implementation verification:The team and stakeholders will verify that all new measures have been correctly implemented. This involves assessing each change compared to the goals established during the design and implementation phases.
Once the systems and changes have been evaluated, the protect phase may involve repeating the design and implementation phases to correct errors or target areas that were missed in the original assessment phase.
Step 6: Monitor
The final step of the information security lifecycle is the monitoring phase. In this phase, the information security team monitors the system and any changes put in place. While security measures implemented today may protect against vulnerabilities, there is no guarantee that they will remain secure in the future. The goal of the monitoring phase is twofold: to ensure that strengthened security remains in place and to identify new vulnerabilities as they arise.
The monitoring phase requires the security team to update and implement monitoring processes as needed to measure the status of new and existing systems across the network. Establishing this process involves analyzing a few key areas:
- Monitoring methods: Monitoring and verifying network systems is essential, but the question is how to monitor these systems. Network intrusions can be monitored through event logging and other security systems, but it's just as important to ensure that the network systems continue to maintain correct configurations. Vulnerabilities can be introduced when new applications or patches are installed, so regular examination of configurations is key to ensuring that servers, routers, and applications remain compliant with a company's security policies and standards. The security team can monitor these configurations manually or with the assistance of compliance monitoring tools.
- Monitoring frequency: Another key question is how often a system should be monitored. Your team can determine the frequency based on the value of each individual resource. While every system needs to be checked regularly for vulnerabilities, core systems should be checked more often than less valuable systems. This value-based monitoring ensures that the right amount of attention is paid to each resource.
- Monitoring measurements: Monitoring must also involve measurements that communicate data into a quantifiable format. Quantifiable data allows the team to compare metrics from day to day across the enterprise. This makes it easier to visualize security and allows for easier identification of deficiencies. A quality monitoring protocol will allow information security professionals to maintain visualization of security systems as a whole, informing them when a critical error arises. On top of establishing a monitoring protocol, the monitoring phase also involves keeping abreast of new developments in the cybersecurity landscape. New threats arise every day, and best practices in information security are constantly evolving. With a combination of quality monitoring and cybersecurity awareness, information security professionals can determine the best time to restart the information security lifecycle over again.
Security and compliance from Box
Using the information security lifecycle within your organization is an excellent way to maximize security and optimize your systems and teams. The information security program lifecycle helps prioritize your IT systems and analyze your needs through a step-by-step procedure, positioning your company to take advantage of continuous improvement through assessment and monitoring protocols. With a well-developed information security lifecycle, your security team can efficiently and effectively protect your business against the rising threat of cyberattacks. If you're looking for a tool to fit in with your security lifecycle, Box is here to help.
The Content Cloud is an easy to use, secure platform built for the entire content lifecycle. From file creation and editing to classification and retention, Box helps you manage every step involved. After all, we know that content is at the heart of your business. Our platform keeps your valuable files protected with frictionless security and compliance, including built-in access controls, AES 256-bit encryption, and full visibility. And Box Shield, our advanced security offering, leverages the power of machine learning to defend against threats.
Discover why over 100,000 companies and 67% of the Fortune 500 trust the Content Cloud. To get started with Box for your business, contact Box today.