A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Enterprise Security Management

When small and large businesses provide a Web site, they should attempt to make it as secure and safe as possible, both for themselves and their customers.

Too often organizations deal with security threats after they happen. These threats are dealt with in an ad-hoc manner, and even when threats are similar they may be dealt with in different ways at different times. Without a consistent strategy, recording the details may be overlooked, and some best practices may not be followed.

Enterprise security management (ESM) is a method focused on creating a security management framework, so that organizations can build up and sustain security for their system. ESM is a holistic approach that integrates policies, guidelines, responses and proactive as well as reactive measures for various risks.

ESM has a very broad outlook that pertains not only to computer security threats but also to any risks that may affect an organization's core business. This outlook may include:

  • External security threats
  • Internal sabotage or security threats
  • Failed software development or system processes
  • Deliberate or inadvertent mistakes made by employees

In practice, implementers of ESM first seek to redefine the following aspects of security:

  • How is security viewed in the organization? ESM moves the organization from a technical-centered view to a business-centered view.
  • How is security approached in the organization? An ESM approach is systematic, rather than irregular, and strategic, rather than reactive.
  • How is security performed in the organization? ESM stresses the importance of sensing and reporting more than straight-forward monitoring.

Then, the implementers seek to acknowledge and define the risks that an organization faces. This stage addresses the questions that follow:

  • What causes the risks?
  • What businesses are affected by risk?
  • What are the consequences?

Once the risks are well defined, implementers of ESM create a framework for organizations to manage this risk.

  • Manage the threats
  • Manage the impact of those threats

The goal of ESM is to achieve resiliency for the following aspects of the organization:

  1. People
    • Educate employees
    • Train employees
  2. Business Processes
    • Streamline processes
    • Try and use common resources for which risk analysis has been done
  3. Information/Data
    • Provide checks for authorization and authentication
    • Access to only people who should have it
    • Redundancy of important data
  4. Facilities
    • May include physical security
    • Devise contingency plans
  5. Technology
    • Leveraging technology to provide solutions
    • Determining what tools can be used for defending, responding and analyzing security threats

In summary, ESM is a new area of research that aims to make security management for organizations a science, instead of the abstract and ad-hoc manner in which it is done today.

References

Share your comments, feedback or questions about this article and other topics. Go to our blog  or our Facebook group .

My home page