NEWS AT SEI
This library item is related to the following area(s) of work:Security and Survivability
This article was originally published in News at SEI on: January 1, 2005
As their understanding of security deepens, organizations are looking for new techniques to manage security. Enterprise security management (ESM) is an emerging research area that aims to help organizations in this quest for a better approach to security by making it an enterprise-wide competency. This means a fundamental shift in focus as an organization ensures that security is used to achieve its goals and become more resilient, while managing security as a core competency instead of as an extension of information technology.
In an outgrowth of fieldwork deploying information security risk assessment methodologies, a team in the Networked Systems Survivability program at the Software Engineering Institute (SEI), consisting of Rich Caralli, James Stevens, Bradford Willke, and Bill Wilson, is identifying and examining the core capabilities that define a framework for security management in an organizational and operational context. In this context, the practice of security is viewed as an activity that keeps the organization’s productive elements—people, assets, and technology—free from harm or disruption so that they can perform their intended functions and help the organization accomplish its mission.
When managing for enterprise security, an organization cannot separate security from its other goals. Making security one of the business goals of an organization elevates that organization’s ability to realize an effective security approach. With enterprise security, the focus expands to all of the processes of an organization. In addition, if an organization is aware of and supports its core competencies, security benefits and protection of critical assets and processes will result even though security is not the main focus.
In developing the ESM approach, the team is concentrating its efforts on several key processes.
The team has found that by virtue of employing best practices prescribed in some methodologies, some organizations are implicitly covering their security needs while attending to the overall needs of the organization. For example, the practices prescribed in CobiT2 and ITIL3 methodologies easily translate to potential improvements in security and resiliency: if an organization’s configuration and change management capabilities are performed consistently and with high quality, many of the vulnerabilities that exist become less of a threat because software updates are regularly installed.
ESM continues to grow and be shaped by lessons learned in fieldwork with customers who are trying to improve their security effectiveness and success. The team is currently developing more analysis methods to allow organizations to assess their capabilities for enterprise security management and is actively looking for collaborators who are interested in improving the effectiveness and efficiency of their security efforts at the enterprise level. Potential collaborators include—but are not limited to—large banks, insurance companies, manufacturing organizations, large county and state governments, as well as Department of Defense agencies. The ESM team welcomes interaction with this community so that the emerging capabilities framework represents the best cross section of organizations that are using security as a way to accomplish their goals and mission.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.