Security level management

Security level management (SLM) comprises a quality assurance system for electronic information security.

The aim of SLM is to display the IT security status transparently across a company at any time, and to make IT security a measurable quantity. Transparency and measurability are the prerequisites for improving IT security through continuous monitoring.

SLM is oriented towards the phases of the Deming Cycle/Plan-Do-Check-Act (PDCA) Cycle: within the scope of SLM, abstract security policies or compliance guidelines at a company are transposed into operative, measureable specifications for the IT security infrastructure. The operative aims form the security level to be reached. The security level is checked permanently against the current status of the security software used (malware scanner, update/patch management, vulnerability scanner, etc.). Deviations can be recognised at an early stage and adjustments made to the security software.

SLM falls under the range of duties of the chief security officer (CSO), the chief information officer (CIO) or the chief information security officer (CISO), who report directly to the Executive Board on IT Security and data availability.

Classification
SLM is related to the disciplines of Security Information Management (SIM) and Security Event Management (SEM), which the analysts Gartner summarise in their Magic Quadrant for Security Information and Event Management, and define as follows: […] SIM provides reporting and analysis of data primarily from host systems and applications, and secondarily from security devices — to support security policy compliance management, internal threat management and regulatory compliance initiatives. SIM supports the monitoring and incident management activities of the IT security organization […]. SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. […]

SIM and SEM relate to the infrastructure for realising superordinate security aims, but are not descriptive of a strategic management system with aims, measures, revisions and actions to be derived from this. SLM unites the requisite steps for realising a measurable, functioning IT security structure in a management control cycle.

SLM can be categorised under the strategic panoply of IT governance, which, via suitable organisation structures and processes, ensures that IT supports corporate strategy and objectives. SLM allows CSOs, CIOs and CISOs to prove that SLM is contributing towards protecting electronic data relevant to processes adequately, and therefore makes a contribution in part to IT governance.

The Steps towards Security Level Management
Defining the Security Level (Plan): Each company specifies security policies. It defines aims in relation to the integrity, confidentiality, availability and authority of classified data. In order to be able to verify compliance with these specifications, concrete objectives for the security software used in the company must be derived from the abstract security policies. A security level consists of a collection of measurable limiting and threshold values.

Limits and thresholds must be defined separately for different system classes of the network, for example, because the local IT infrastructure and other framework conditions must be taken into account. Overarching security policies therefore result in different operational objectives, such as: The security-relevant software updates should be installed on all workstations in our network no later than 30 days after their release. On certain server and host systems after 60 days at the latest.

The IT control manual Control Objectives for Information and Related Technologies (COBIT) provides companies with instructions on transposing subordinate, abstract aims into measurable objectives in a few steps.

Collecting and Analysing Data (Do):Information on the current status of the systems in a network can be obtained from the log data and the status reports of the management consoles of the security software used. Monitoring solutions that analyse the security software of different vendors can simplify and accelerate data collection.

Checking the Security Level (Check): SLM provides continual comparison of the defined security level with the actual values collected. Automated real-time comparison supplies companies with a continuous monitoring of the security situation of the entire company network.

Adjusting the Security Structure (Act): Efficient SLM allows trend analyses and long-term comparative assessments to be made. By continuously monitoring the security level, weak spots in the network can be identified at an early stage and proactive adjustments can be made to the security software to improve system protection.