How to Validate
Your Security Program
15 Ways to Rate Your Program
WHY VALIDATE? The top 5 reasons to validate your security program.
Your Security Program Should Be:
#1 – Authoritative
#2 – Defensible
#3 – Qualified
#4 – Justifiable
#5 – Proven
#6 – Well-Supported
#7 – Official
#8 – Robust
#9 – Relevant
#10 – Well-Founded
#11 – Accepted
#12 – Effective
#13 – Viable
#14 – Substantiated
#15 – Successful
By Ray Bernard PSP, CHS-III
An attribute is a quality or feature regarded as a characteristic of something. What we are calling the “15 Validation Attributes” are 15 characteristics that you can use to validate your security program.
Validation Attribute: RelevantDefinition:
- pertinent to matters at hand
- relating to a subject in an appropriate way
In this case we’re talking about the security program’s relevance to the organization. Both of the definitions above apply, and could be restated this way:
- supporting the current goals, objectives and activities of the business
- applied in a way that is harmonious to business operations and activities
This is both a risk-orientation factor and a business-alignment factor.
Risk Orientation Factor
Very often, security program elements derive from a variety of sources:
- Inherited from a predecessor
- Management-requested or mandated
- Commonly applied security measures
- Business-sector specific security measures (retail, banking, manufacturing, etc.)
- Standards and guidelines
- Regulations (get details at: Security Laws, Regulations and Guidelines Directory):
- Broadly applicable (SOX, GLB, COPPA, PCI DSS, FRCP, FAST, C-TPAT)
- Industry specific (FISMA, NERC, 21 CFR Part 11, HIPAA, HITECH, CFATS)
- State regulations (Massachusetts 201 CMR 17, Nevada NRS 603A)
- International Security and Privacy Laws (Canada: PIPEDA; Mexico: Law on the Protection of Personal Data Held by Private Parties; European Union: Data Protection Directive, Safe Harbor Act)
As a result, not all security measures are based upon specifically identified risks. Sometimes there is enough general evidence to say that a certain category of risk does apply, and so commonly used security measures are implemented without specifically analyzing the related risk factors. This is often the case, for example, with door and gate card access control.
It can be productive of good insights to review current security program elements, and identify the degree to which risk factors have been considered and applied. The validation steps at the end of this article include actions for this kind of review.
Business Alignment Factor
In the past 12 years—and especially within the last few years—many valuable articles, papers, and books have addressed the necessity for aligning security (both physical and logical) with the business, and have provided strategic and tactical approaches for improving business alignment. Pertinent to this article, business alignment is certainly a key aspect of relevance to the business. There are so many valuable references on business alignment, that I have created a page providing a variety of business alignment references for both physical and IT security, some of which will probably be of high interest to you.
This validation step focuses on one aspect of business alignment that is seldom considered: harmony of business alignment. Tom Scholtz, research vice-president at Gartner, has said this about IT business alignment in his excellent article Seven ways to align security with the business:“There is no single tactic or strategy that guarantees success in improving business alignment of security. Rather, a number of varied but interrelated actions need to be identified and executed to improve alignment over time.”The seven aspects of security that Tom identifies are fully applicable to both physical and IT security:
Often business alignment can be “rough around the edges” in any or all of these alignment aspects. Before initiating any other business alignment actions, it can be highly beneficial to make the existing communications, collaborations and interactions more harmonious, or if they are working optimally, to acknowledge (and if appropriate, further support) the ongoing efforts of those involved. Experience has shown that a little improvement goes a long way when this is given some attention. Improvements are generally very well received and appreciated, and are usually recognized by management as good leadership.
There are two sets of validation steps, one for risk orientation and one for business alignment. If you are newly appointed to your position, both sets of steps will be very effective in providing you with valuable insights into the security program whose operation has been put into your hands.
If you already have a risk register, risk log or risk catalog, you are at least halfway there in terms of the effort to complete these steps. You don’t need a fully-populated risk register to perform these steps; a simple list of risks will work as a starting point. Other documents, such as a Risk Treatment Plan or risk assessment’s recommendations, can provide a good list of risks.
The main purpose for this risk orientation exercise is to get a high level view of the risks, how they relate to your security program elements, and see how recently the individual risks or risk categories have been evaluated. In many organizations, risk assessments are performed infrequently, and the risk picture changes in between assessments, without any thought being given to those changes. This exercise provides a way to identify those risks that require additional consideration due to changes to the business or to the threat picture.
Risk treatment and planning can often be updated using micro-assessments, which are a narrowly focused short assessments that provide support for decision-making and planning. Full-blown assessment projects are not the only way to ascertain whether or not any parts of the security program need updating. One benefit of micro-assessments is that they are small efforts, which means that they can easily be performed without compromise to other duties.
Additional reasons for performing these steps are:
- When delegated, they help education staff on the risk-orientation of the security program elements.
- The ongoing focus on “what needs to be done” can push “the good things that have been done” out of mind. These steps bring the strong points of the security program back into focus.
- The resulting risk list has additional uses. An educational poster can be made listing just the risks and the security program elements, that is informative for security personnel and other security stakeholders. Most non-security personnel have no idea of the extent of risk reduction in which the security function engages.
Use these steps is to determine when, and how thoroughly, each risk or risk category has been considered, and whether or not further risk evaluation may be warranted. Much of the work of collecting this information (the first 4 or 5 columns in Step 1 below) can be delegated to staff.
Step 1. Create a table to list the risks, using the following column headings (or download this Word® document template or this Excel® spreadsheet template)
- Risk ID (a number)
- Risk (the name or brief description of the risk or risk category)
- Security Program Element (this is not the security control or measure, but the name of the security program element that addresses the risk, such as Executive Travel Protection or IT Disaster Recovery Plan or Insurance Program)
- Date Risk Assessed (Date of most recent assessment, or “Unknown”)
- Note (any comment you wish to make)
- Conclusion (whether further risk examination is needed, and how that should be approached)
Fill out the first four columns, capturing any key thoughts or questions you have in the Notes column. If you already have a risk register or risk list, you can copy the risk information into this table. Many risk registers don’t identify the security program element in which the security control or measure resides, but you can identify that easily enough. If you don’t already have a risk register or list of risks that various security program elements are addressing, then take the actions you need to identify the risks each program element is addressing and enter the information into the table.
Step 2. Review your Notes, getting answers for your open questions.Step 3. Review each Risk entry, and enter your Conclusion as to whether any action is needed to further evaluate the risk or the measures being used to address it. You may find a few risk items that require you to dig deeper to reach a sound conclusion. Outline a small plan for following up, using micro-assessments where helpful to delegate some of the work.Step 4. Review your conclusion, and if further action is needed, outline an action plan for following-up.
Good business alignment takes into account the impact of security on the business. The smoother security controls work from a business planning and operations perspective, the better. This prompts an update to the traditional description of security’s role:The role of security is to reduce security risks to acceptable levels, at an acceptable cost, in a manner harmonious to the business.
Step 5. Create a document to capture your work (or download a Word worksheet here).
For each element in your security program, use these headings to label the sections where you describe the degree of business alignment harmony from these perspectives.
Step 6. For each security program element, check with the personnel involved to identify any frustrations, friction points, excessive burdens or subversion that your or your security personnel experience. Then check also with the non-security personnel who interact with security personnel related to the security program element, or who have processes, procedures or tasks to execute relating to the security program element.You may already know about some points of disharmony that exist for several of your security program elements. For those program elements where you are not closely familiar with the communications, collaborations and interactions that take place, check with the security personnel and those whom they deal with (separately is preferable), to identify any points of disharmony that they are aware of. You may have to begin your conversation by assuring the personnel that you are not performing a security audit or examining any personnel, but simply looking for opportunities for improvement in how the security program is being carried out.
Step 7. Create an additional document section titled, “Opportunities for improvement”. Review your notes and determine where opportunities for improvement exist, and write down your ideas for making those improvements. In some cases, additional research, thought or collaboration may be required to work out exactly how improvements could be accomplished. Write down how you would approach those actions.
Step 8. Create an action plan for pursuing the opportunities for improvement, establishing a schedule or at least a sequence for carrying out the improvements. Make sure that you include a “Lessons Learned” action item in which you document what you have learned along the way. Obtain whatever management approval or buy-in is required to put the plan into action, and execute the plan according to the sequence or schedule you have established.
Important Note: If you are responsible for the security function in a large organization, you may want to pilot these actions in a single facility or business unit, or for a small selection of security program elements. That will make it easier to determine where and how you could best apply these validation steps with an optimal amount of effort.
Supporting Materials: You will find some very helpful perspectives for executing these validation steps in the first four sections (Manageability, Business Alignment, Security Ladder of Involvement, and Relationships and Allies) of the five sections of the Rate Your Security Program page.
Security practitioners who have applied these validation steps have said that they have strengthened their security program in ways that they would not have otherwise considered, and they also ended up with a good set of new “security talking points” for discussing any element of their security program.