Understanding Security Domains

1 link


Updated October 9, 2023
Now Available
Security for Everyone

🚀 As explained by Laura

When discussing security management for a business, it helps to have a structure to work with. This structure will group the measures you can take by the type of action and impacted areas of the business, letting you review and approach each area in turn rather than trying to tackle everything at once.

There are a number of frameworks for information security that each define their own version of these areas. In this section we will cover a simplified version of the international (and global standard) framework, ISO 27001.

Table: The ISO 27001 Security Control Domains

Security policySets the direction and expectations for security within a business, often aiming to align the business with customer, business, legal or regulatory requirements.
Organization of information securityProvides a structure for managing security within the business, both in terms of internal roles and ownership and how risk is managed when working with external parties.
Asset managementUnderstands, monitors and protects business assets such as computers, files, and devices, as well as the information stored on them.
Human resources securityConsiders security throughout a person’s employment with your business, from initial hire, to the evolution of their role and their eventual exit.
Physical and environmental securityPrevents authorized access to sensitive business areas and protect the devices, information, and people within them.
Communications and operations managementManages the security impacts of many of our businesses operational processes including communications, working with 3rd party service providers, planning technology projects and handling information.
Access controlControls access to systems, devices, or processes that handle sensitive or critical business information, preventing access to those without need.
Information systems acquisition, development and maintenanceWeaves security into our processes for procuring, designing, building, configuring and maintaining systems so that vulnerabilities can be avoided or identified early and addressed.
Information security incident managementProvides mechanisms for security events and weaknesses to be reported within the organization and corrected, as well as creating a feedback loop to capture lessons learned from security incidents and vulnerabilities.
Business continuity managementPrepares the business and its critical processes to recover from major disruptions and incidents, minimizing their impact and the time taken to resume operations.
ComplianceEnsures and validates that the business meets internal, legal, contractual and regulatory information security requirements.

While there is no need for you to memorize the above domains, it’s worth familiarizing yourself with the structure and some common themes.

Specifically, you’ll notice that all of the above domains fit into one of three themes: management, prevention, and response.

Management, Prevention, and Response Domains

Definition Management domains aim to set the direction and security expectations for your organization, and will often involve thinking about and planning how you would like security to be handled by your team. These practices and associated policies are then used as a measure to decide if your team has met your expectations when approaching security tasks.

Definition Prevention domains aim to identify risks and threats that apply to your business and take steps to reduce the likelihood of them happening. While there are no guarantees in security, and rarely can we be sure that we have stopped a security vulnerability from occurring, prevention aims to do the best we can to protect what matters.

Definition Response domains are those focused on events that could potentially happen. They are the mechanisms we use to predict and plan for security incidents and disruptions to our operations. These domains act like the cards in the seat back of your plane. While we all hope nothing goes wrong on our flight, we know it’s important to read the card and know what to do—just in case. These domains aim to respond quickly and effectively as bad things happen, so that we can minimize the impact on the business and restore operations to normal as soon as possible.

Let’s reorganize our domains by these categories.

Table: Security Domains by Category

• Security policy
• Organization of information security
• Compliance
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management

As this table shows, there is a lot more for us to do when trying to practically protect our data and prevent security incidents than simply managing our security approach or planning our response. While the table is a simplification, it’s a nice reminder that our security to-do list is long and mostly contains changes we need to make to our systems and processes, rather than just creating documentation.

Minimum Viable Security5 minutes

🚀 As explained by Laura

When it comes to figuring out how much security is “enough” for your business, there is no “one-size-fits-all” template you can follow. Use the following prompts to understand how your business, industry, and aspirations will affect how much or how little security will be needed for your stage.

Factors affecting your minimum viable security requirements:

You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.
If you found this post worthwhile, please share!