Have an enterprise? Then, you likely have people, facilities, data, and technologies that you’re responsible for. Collectively, these are your asseets.
Security management is the process of cataloguing all of these enterprise assets, then developing the documentation and executing the policies needed to protect them from threats.
The types of security threats
What kind of security threats should you be worried about? Some of the keenest security threats we face include:
Trespassing, theft, sabotage, and other property crime
A perennial risk, property crime threatens business owners with brick-and-mortar investments. For instance, goods might be stored in sprawling warehouses and lots, in older spaces not designed with modern threats in mind.
These vulnerabilities have long represented an alluring target for property crime and burglaries. In the U.S. construction industry alone, anywhere between USD 300 million and 1 billion a year is lost due to the theft of equipment and other high-value materials, according to the National Insurance Crime Bureau.
Cyberattacks
While businesses might always have had to deal with property crime, cybercrime has come on strong in the last decade or so. Cyberattacks, despite their relative novelty, have quickly displaced all other risks as the security threat business leaders fear the most.
They have every reason to. A mere week into 2024, and the British Library, Beirut International Airport,, and mortgage loan firm loanDepot were targets of high-profile cyberattacks.
2023 was no better. The Apple-supported study, The Continued Threat to Personal Data confirmed that data breaches were at an all-time high for U.S. businesses in the first nine months of 2023.
Among cyberattacks, ransomware has become an increasingly popular mode of attack. High-profile targets have included Royal Mail, the U.S. Marshals Service, TSMC, MOVEit, and others.
How severe is the threat?
The MOVEit breach, in one fell swoop, affected more than 2000 organizations and over 62 million people. For context, data was taken from government agencies, school systems, big businesses, even HR and payroll services.
Add to that, the rise of ransomware-as-a-service portends much of the same this year, i.e., more breaches and service shutdowns as well as heftier payments.
Extreme weather and natural disasters
Physical assets are also vulnerable to extreme weather and natural disasters. In particular, severe weather, like cyberattacks, have grown more common and costly in the last few decades.
In the U.S. alone, 2023 saw a staggering 28 weather/climate disaster events with individual losses exceeding $1 billion.
That figure was up eight from the year before. But it was a staggering increase of 20 from the 1980-2022 yearly average, suggesting a deteriorating risk environment.
Globally, the number is shooting up, too, posing a keen threat to security leaders around the world.
Civil unrest
Incidents of civil unrest associated with political and economic activity have also been on the rise, posing acute security risks, especially to workers in venues of mass gathering and other key assets.
Back in spring 2020, for instance, a series of demonstrations against the state of Michigan’s stay-at-home-order brought armed protestors to the State Capitol. In the summer, armed protestors in Oregon stormed that state’s Capitol, while the State Legislature was still in session. Protestors in Portland, Oregon also marched to a county government building, where they threw rocks and lit a fire.
Indeed, 2020 was a tentpole year for incidents of civil unrest. The George Floyd protests became the first civil disorder catastrophe event to exceed USD 2 billion in insurance losses.
Nor was 2020 the end. The January 6 riots on Capitol Hill continued a trend of civil unrest. Meanwhile, protests precipitated violent encounters throughout Europe, as well.
Insider threats
In addition to civil unrest, organizations, since COVID, have also faced the reality of reduced workforces and overburdened staff. According to security experts, frustrated employees may be more inclined to act nefariously, especially in an unsupervised environment.
Being able to connect from personal devices only heightens the threat, necessitating the need for the appropriate controls and technologies to ensure visibility.
Attacks on healthcare facilities
Then, there are particularly high-risk sectors. Among them, healthcare has long suffered from high levels of client-initiated, occupational violence.
For instance, the U.S. Government Accountability Office (GAO) has found that healthcare workers are five to 12 times more likely to encounter nonfatal violence in the workplace than their counterparts in other industries.
2022 survey data from the American College of Emergency Physicians also showed that 55% of ER doctors had been physically assaulted.
The issue is global in scope. The Australian healthcare sector has consistently logged the highest number of serious workers’ compensation claims, with disproportionately high rates of homicide and other violent incidents.
Nurse assaults, specifically, are at epidemic levels. The Australian Institute of Criminology went so far as to designate nurses as the occupational group most at risk of workplace violence.
Workplace accidents
Other sectors face their own challenges. The ILO estimates that workplace accidents account for over 300,000 deaths per year.
Here, agriculture, construction, forestry and fishing, and manufacturing are heavily represented. Collectively, those industries account for some 63% of all fatal occupational injuries.
What is the purpose of security management?
As security threats grow more severe, someone must keep assets safe.
That task has devolved to security management. The main purpose of security management is to keep the enterprise’s assets (property, people, technology, etc.) protected from identified threats, whether those threats come externally or internally.
Security managers do so by providing a foundation for an organization’s security strategy.
They come up with policies and procedures and implement processes for classification, security risk management, and threat detection and response.
All told, security management enables organizations to
- Identify potential threats
- Classify and categorize enterprise assets
- Rate vulnerabilities
Types of security management
However, given the scope of the threat, security management can’t just be one thing. The growing cyber threat, in particular, means that security management isn’t just uniformed guards on patrol.
What are the main types of security management? They include:
Information security management
Information security management is an organization’s approach to ensure the confidentiality, availability, and integrity of IT assets and safeguard them from cyberattacks.
Cybersecurity management
Similarly, cybersecurity management involves the strategic planning, operations, implementation, and monitoring of cybersecurity practices within an organization.
Operational security management (OpSec)
Derived from the United States Military, OpSec is an analytical process that entails assessing potential threats, vulnerabilities, and risks to sensitive information.
Physical security management
Physical security refers to the protection of building sites and equipment (and all assets held within) from theft, vandalism, natural disaster, manmade catastrophes, and/or accidental damage.
Critical infrastructure protection (CIP)
Every country has key assets that are vital to maintaining a strong economy and high quality of life. Critical infrastructure protection refers to the actions taken and the critical infrastructure protection technologies needed to prevent, remediate, or mitigate risks resulting from vulnerabilities of these critical assets.
Strategies to enhance security management
Just as there are multiple subfields within the umbrella of security management, there are many different strategies within those subfields to enhance enterprise security.
We can’t delve into all strategies an organization needs to adopt to enhance its security management. But we can focus on best-practice strategies as laid out in international information security management system (ISMS) standard, ISO 27001.
The standard suggests methods for and practices of implementing information security in organizations. It provides flexible guidelines for how methods and practices should be implemented.
What’s more, ISO 27001 provides a means of enabling secure, reliable communications of security risk.
The standard also emphasizes the necessity of adequate training as a prerequisite for implementing then communicating security procedure. That procedure must be continuously monitored, checked on, and improved upon, to ensure the effectiveness and efficiency of the ISMS.
Although an information security standard, ISO 27001 discusses physical security at length, as well. After all, information assets can be manipulated by personnel. They are vulnerable even despite the most stringent information security measures.
What physical security controls does the standard prescribe?
The recommended control is to continuously monitor all premises for unauthorized physical access. What are some others?
Physical security management controls
The full list of physical security management controls includes:
|
Category |
Control |
|
Physical security perimeters |
Security perimeters shall be defined and used to protect areas that contain information and other associated assets. |
|
Physical entry |
Secure areas shall be protected by appropriate entry controls and access points. |
|
Securing offices, rooms, and facilities |
Physical security for offices, rooms, and facilities shall be designed and implemented. |
|
Physical security monitoring |
Premises shall be continuously monitored for unauthorized physical access. |
|
Protecting against physical and environmental threats |
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented. |
|
Working in secure areas |
Security measures for working in secure areas shall be designed and implemented. |
|
Clear desk and clear screen |
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced. |
|
Equipment sitting and protection |
Equipment shall be sited securely and protected. |
|
Security of assets off-premises |
Off-site assets shall be protected. |
|
Storage media |
Storage media shall be managed through their life cycle of acquisition, use, transportation, and disposal in accordance with the organization’s classification scheme and handling requirements. |
|
Supporting utilities |
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
|
Cabling security |
Cables carrying power, data, or supporting information services shall be protected from interception, interference, or damage. |
|
Equipment maintenance |
Equipment shall be maintained correctly to ensure availability, integrity, and confidentiality of information. |
|
Secure disposal or re-use of equipment |
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
|
People controls |
Control |
|
Screening |
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
|
Terms and conditions of employment |
The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security. |
|
Information security awareness, education, and training |
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education, and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. |
|
Disciplinary process |
A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. |
|
Responsibilities after termination or change of employment |
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced, and communicated to relevant personnel and other interested parties. |
|
Confidentiality or non-disclosure agreements |
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed, and signed by personnel and other relevant interested parties. |
|
Remote working |
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organization’s premises. |
|
Information security event reporting |
The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. |
Security management for compliance
ISO 27001 is a voluntary standard. Increasingly, though, policymakers are requiring enterprises to have a base level of security management.
One example is in financial services.
Finance and insurance routinely top the ranks of the most vulnerable sectors to data breaches. And so, in July 2019, Australian prudential regulator, APRA released Prudential Standard CPS 234 Information Security to ensure that regulated entities take measures to be resilient against information security incidents (including cyberattacks).
What are some the requirements of the standard that might be of interest even to firms outside of the financial services space?
Generic information security requirements include:
- Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals
- Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity
- Implement controls to protect information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls
- Notify the regulator of material information security incidents
How then to comply with the standard and to generally enhance information security management at your firm?
Best-practice measure to enhance information security management
Third-party risk management
Where information assets are managed by a related party or third party, assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets
Policy framework
Maintain an information security policy framework commensurate with exposures to vulnerabilities and threats, which provides direction on the responsibilities of all parties who have an obligation to maintain information security
Information asset identification and classification
Classify information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers
Controls
Have information security controls to protect information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with:
- Vulnerabilities and threats to the information assets
- The criticality and sensitivity of the information assets
- The stage at which the information assets are within their lifecycle
- The potential consequences of an information security incident
Incident management
Have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
Maintain plans to respond to information security incidents that could plausibly occur. Those plans must include mechanisms for:
- Managing all relevant stages of an incident, from detection to post-incident review
- Escalation and reporting of information security incidents to the Board, other governing bodies, and individuals responsible for information security incident management and oversight, as appropriate.
- Annually review and test information security response plans to ensure they remain effective and fit-for-purpose
Testing control and effectiveness
Test the effectiveness of information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:
- The rate at which the vulnerabilities and threats change
- The criticality and sensitivity of the information asset
- The consequences of an information security incident
- The risks associated with exposure to environments where the entity is unable to enforce its information security policies
- The materiality and frequency of change to information assets
Security management software to help comply with security regulations
Adherence with these security regulations might seem like a lot, as might upleveling your security management capability. Digital security management software can help, here, though.
How so?
With flexible, configurable, digital functionality, security management platforms enable entities to:
- Define information security-related roles and responsibilities
- Maintain an information security capability
- Implement controls to protect information assets and systematic testing and assurance
- Notify regulators of material information security incidents
What else? Well, these solutions capture and consume information from multiple sources, including reports, logs, communications, forms, assets, and maps, providing a real-time common operating picture of the task or operation at hand.
Indeed, solutions like Noggin Resilience, by leveraging powerful, yet easy-to-set-up workflows, also control and automate information security management processes and standard operating procedures, keeping the right stakeholders (internal and external) informed across multiple communications mediums.
But don’t take our word for it. Request a demo to see how Noggin can meet your security management needs.
.svg)
.svg)
.svg)