Security level management

Security Level Management (SLM) is a quality assurance system for electronic information security. The aim of SLM is to present the IT security status transparently throughout the company and to make IT security a measurable parameter. Transparency and measurability are the prerequisites for IT security to be monitored proactively and continuously improved.

SLM is based on the phases of the Deming circle / Plan-Do-Check-Act PDCA cycle: As part of an SLM, abstract security policies or IT compliance guidelines of a company are converted into operational, measurable specifications for the IT security infrastructure. The operational goals form the security level to be achieved. The security level is permanently checked against the current performance of the protection systems (malware scanner, patch systems, etc.). Deviations can be detected at an early stage and adjustments made to the protection systems.

SLM belongs to the range of tasks of the Chief Security Officer (CSO), the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO), who report directly to the management on IT security and data availability.

classification

SLM is related to the disciplines Security Information Management (SIM) and Security Event Management (SEM), which the analyst firm Gartner summarizes in its "Magic Quadrant for Security Information and Event Management" and defines as follows: "[...] SIM provides reporting and analysis of data primarily from host systems and applications, and secondarily from security devices - to support security policy compliance management, internal threat management and regulatory compliance initiatives. SIM supports the monitoring and incident management activities of the IT security organization [... ]. SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. [...] "

SIM and SEM relate to the infrastructure for the implementation of higher-level security goals, but do not describe a strategic management system with goals, measures, revisions and actions to be derived from them. The central function of such systems is to support IT operations in the search for anomalies in the network, which are reported through evaluations and comparisons of log data.

SLM can be classified under the strategic umbrella of IT governance , which uses suitable organizational structures and processes to ensure that IT supports corporate strategy and goals. With SLM, CSOs, CIOs and CISOs can prove that they ensure adequate protection of process-relevant electronic data and thus contribute to IT governance.

Steps to a Security Level Management

Define security level (plan): Every company defines security policies . The management defines goals with regard to the integrity, confidentiality, availability and liability of classified data. In order to be able to check compliance with these requirements, specific goals for the individual security systems in the company must be derived from the abstract security policies. A security level consists of a collection of measurable limit and threshold values. Example: From higher-level security policies such as "Our employees should be able to work without interruption", operational goals such as "The antivirus systems at our German locations must be up to date within four hours of the appearance of the current signature" must be derived.

Limit values and threshold values must be specified separately for different locations and countries because the IT infrastructure on site and other local framework conditions must be taken into account. Example: Office buildings in German-speaking countries are typically equipped with fast dedicated lines. Here it is quite realistic to limit the deadline for supplying all computers with the latest anti-virus signatures to a few hours. For a plant in Asia with a slow modem connection to the Internet, a realistic limit value must be set a little higher.

The guideline for IT control "Control Objectives for Information and Related Technology Cobit" CobiT gives companies instructions on how overarching, abstract goals can be transferred to measurable goals over several steps.

Collect and analyze data (Do): Information on the current status of the systems can be obtained from the log data and status reports of the individual antivirus, antispyware or antispam consoles. Cross-manufacturer monitoring and reporting solutions can simplify and accelerate data collection.

Check security level (check): SLM provides for a continuous comparison of the defined security level with the measured actual values. An automated real-time comparison provides companies with a permanently updated status report on the security situation across all locations.

Adapt protection structure (Act): An efficient SLM enables trend analyzes and long-term comparative evaluations. Continuous monitoring of the security level enables weak points in the network to be identified at an early stage and appropriate adjustments made to the protective systems proactively.