The name 7 Elements reflects the belief that there are seven core activities required within an organisation's approach to information security. Only by embedding all seven can an organisation truly deliver a holistic and resilient approach to information security, and one that will enable them to meet their businesses objectives and in the end, to survive.
Design | Build | Manage | Embed | Adapt | Sustain | Assure
Out of the seven, the following six elements provide the foundations required for a resilient approach to security:
Within this element an organisation needs to define architecture, policies and standards to deliver a resilient approach to information security.
Next we need to deploy systems and infrastructure that meet your design and protect your organisation's information.
Ongoing management is then required to ensure that your systems are operated securely and new projects align with your security design. This element can also include the management of complex security testing engagements.
Embedding security strategy, culture and awareness into your business processes is vital to the overall organisational approach to security.
We do not live in a static environment, thus it is vital that we can respond to changes within the threat landscape with regular reviews and updates that inform all of the elements.
Incidents will happen, both malicious and unintentional, so there is a need to deliver business resiliency through Incident Management and Resiliency testing.
This then brings me to what I feel is the most important and often neglected element required:
The 7th Element is all about gaining assurance over any aspect of your approach to security, through practical and pragmatic security testing. Many organisations will focus on aspects of the other elements and fail to gain assurance that their approach actually provides the level of protection required and as such could expose the organisation to hidden risks.
Security testing allows you to test assumptions and controls that are designed to provide a level of security and to gain assurance that that assumption / control actually does what was expected or more importantly doesn't do something unexpected that results in a compromise of data.
This approach would then lead to the following model: