Editor’s note: This is the 14th of a multi-part series that provides 15 important perspectives from which to validate your security program. If this is the first article you have seen in this series, please read the introductory article before launching into the validation steps.
- Part One (key attributes)
- Part Two (defensible)
- Part Three (qualified)
- Part Four (justifiable)
- Part Five (proven)
- Part Six (well-supported)
- Part Seven (official)
- Part Eight (robust)
- Part Nine (relevant)
- Part Ten (well-founded)
- Part Eleven (accepted)
- Part Twelve (effective)
- Part Thirteen (viable)
An attribute is a quality or feature regarded as a characteristic of something. What we are calling the "15 Validation Attributes" are 15 characteristics that you can use to both validate and strengthen your security program.
Validation Attribute: Substantiated
Definition:
1. provide evidence to show or prove the truth of
2. validate, corroborate, verify, confirm
The emphasis for the Substantiated validation attribute is on being able to quickly provide evidence of, or speak to, the validity of any security program element. In the work for several of the earlier validation attributes, such information was developed or utilized. The objective for this attribute is to gather up a selection of information so that you could respond quickly and simply about any security program element because you have thought it through once already, and you have the evidence quickly available if you need to reference it. Sometimes what appears to be “quick thinking” is simply the result of having been prepared.
Performing these simple validation steps below will refresh your memory about what you can say or write, and make you better prepared to articulate the validity of any security program element at a moment’s notice.
If you skipped performing the steps for some of the earlier attributes, and as a result don’t have the evidence on hand that you’d like to have, you may not need to perform those steps now. Simply do your best on the steps below; that may work just fine. If you can’t immediately answer a question for any particular security program element, do the rest and then come back to the unanswered questions. Consider what you can do now in an easy way, to get your answers.
If you need to or want to, you can always perform the steps of a skipped validation attribute, or re-apply the steps of an attribute just for a specific security program element.
The main objective for this attribute is to be able to easily speak to 100 percent of your security program elements by means of this preparation. I’m probably making it sound harder than it is, but you’ll see what I mean when you download the Security Program Substantiation Chart, which has three simple questions to answer for each of the elements of your program.
Thinking Points
These are not just “talking points” that are created in these validation steps. Their purpose is to provide non-security stakeholders in the organization, including management, with ways of understanding and thinking about the various elements of a security program. This is high-level information; they don’t need to get the “down in the weeds” perspective that practitioners get from going about their duties. These are “thinking points” for others and so need to be expressed in simple but accurate terms. This is part of raising awareness of the security function, and the need for various parts of the security program.
The Challenge
The challenge in performing this step is to explain things in plain language, from the perspective of a non-security person. Individuals outside of the security function don’t have the same vocabulary as security practitioners. When we say "threat," non-security folks think of someone calling on the phone or raising a fist to someone and promising to do them harm. It’s the right concept, but very narrow compared to the full range of threats against facilities, people and information.
Including Your Staff
If you have staff who would benefit from being able to speak well about their own areas of responsibility, you can assign some of the security program elements to them to perform these steps. You can also have them perform this exercise on sub-elements of the program elements they are responsible for. Practitioners who have had their staff perform these validation steps for their areas of responsibility, either individually or through individual or group discussion, have reported all kinds of benefits resulting, including improved perspectives and better alignment of thinking on the part of their staff. Most of all, they reported that staff felt very validated by gaining an improved understanding of the value of their own work.
Validation Steps
Step 1. Download the RBCS Security Program Substantiation Chart. This is a Microsoft Word® document.
Step 2. List the elements in your security program. In the left hand column of the Security Program Substantiate Chart, list the names of the security program elements you want to validate.
Step 3. Express the Purpose, Function, and Result of each element. Specifically, these mean:
- Purpose: This is the reason for the security program element. Often best expressed by example, such as, “Without a visitor management program, we’d be losing proprietary information in more than half a dozen ways.” There may be other reasons, but you may only need a good example or two in most cases. What is the most important effect of the security program element?
- Function: Provide an overview or some insight into what is done, or into the scope of the controls. For example, “Our visitor management program depends upon our access control system, video system, information classification system, ID badge policy, security officer patrols, parking lot controls, and employee hotline—to name a few.”
- Result: For information systems protection, it can usually be summed up into some aspect of Confidentiality, Integrity and Availability. For facility security, “a safe and secure workplace” is the overall result. Thus, a visitor management program, for example, could relate to that in this way, “Our visitor management makes sure that we maintain a safe and secure workplace, including secure information, even though our recent business expansion now has three times as many people visiting the facility as we used to have.”
Step 4. For each security program element, see if you can come up with an interesting “tidbit”. Not all security program elements have such a tidbit that comes to mind. However, after doing this exercise, over time additional tidbits will develop, and it pays to go back and update this chart when they do. If you have an annual security program review, that could also be a good time to take a few minutes to brainstorm for a few more tidbits. Tidbits help people “warm up” a little to security, as generally they have little insight into it beyond their own direct experience.
A tidbit is a piece of information that people generally wouldn’t know, that they would find surprising or interesting, and which highlights some part of the value security provides. For example, with regard to visitor management, “We just finished updating our visitor management program, because the governor decided to hold a meeting with at our headquarters facility, because it’s close to the airport and he needs a quick ‘in and out’.” Here is a less dramatic tidbit, “The quality of car batteries must be improving, as security only had to jump start 45 cars this winter, which is half of what we used to do.” Another, “Our new high-resolution cameras really help us monitor the main parking lot well. On some days we have over 100 students and tourists who cut through the parking lot and we need to keep a close eye on our employee and visitor vehicles.” Most people have no insight at all into the dynamics of information security; one such tidbit could be, “I’m really proud of how quickly our upgraded information protection plan went into place. With all of the merger activity we’ve had in the past year, the scope of our information protection efforts has tripled.”
Final Note
Whenever a specific question is asked about a particular control measure, when responding it is often a good idea to include the overall purpose and result of the security program element (or elements) that the control serves. That’s can help non-security folks to participate productively in the dialog, which can sometimes result in valid and workable suggestions for a security improvement.
About the Author: Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security for more than 29 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.