About the information security model
The Information Security Model Canvas is a standards-based, intuitive, scalable, and easy to manage method to build, document, or sustain a cyber security program and improve decision making.
Each object in the model, described below, represents a part of the program. The model structures these elements to facilitate a business objective focus on what to protect, how to respond and recover, and how to prioritize sustaining and improving your program and Digital Trust.
Awareness and Control
Cybersecurity awareness is crucial, as most breaches stem from a lack of it. Effective awareness training requires resources and funding. Control is key – strong leadership and a clear mission ensure the program stays on track and drives benefits.
Business Architecture
Documenting your capabilities, value streams, and organization structures to align your cyber security program to your business.
Documenting your business architecture helps keep your business and security objectives aligned and prioritized.
Business Security Objectives
What the cyber security program is to accomplish or how it can be made more effective.
Describing your vision and security roadmap helps focus and manage your cyber defense activities.
Security Program Objectives
The specific tasks and projects to develop, sustain, and improve your cyber security program.
Setting and keeping improvement focused on the important assets and risks.
Threats
Threats include phishing, ransomware, insider risks, weak passwords, unpatched systems, supply chain disruption, insecure access, and data leaks.
Identifying and analyzing your threats focuses defenses and funding.
Vulnerabilities
Vulnerabillities include weak passwords and authentication, unpatched software, lack of cyber security awareness training, misconfigurations, 3rd parties, device theft, and inadequate backups.
Addressing these can prevent financial or data losses, disruptions, and reputational damage.
Information Risks, Response & Recovery Strategy
Identifying the risks to the information assets.
Developing and maintaining incident management response and recovery.
Managing the risks to your information assets and developing response plans for potential events dramatically improves your security posture and your capability to get your business back up quickly and inexpensively after an incident.
Information Assets
The information that your business uses. The crown jewels to consider and protect. The primary focus of information risk management.
Identifying, documenting, managing, and monitoring your information assets is a key step to develop a cyber security program.
Security Program Elements
The primary parts of the business’s cyber security focus: the technical, administrative, and physical controls and the governance your business needs to develop, communicate, and keep the program effective. The policies, standards, and procedures that are the program.
Developing a structure for the elements of your cyber security program enhances management and effectiveness. They can be maintained as a set of documents or in an online repository, but it should get written.
Policies, Strategy – Controls, Standards
Policies – Concise documents that set boundaries and provide direction for your program, incident response, recovery, and information protection.
Strategy – Considering and ocumenting how you are going to accomplish your security goals.
Controls – The things in place to protect your business.
Standards – Informal or formal descriptions and procedures for cyber security activities.
Developing policies is essential, as they establish clear guidelines and expectations for all stakeholders. A well-defined strategy aligns the cyber security program with business objectives, ensuring a focused approach. Controls serve as the protective measures that mitigate risks and strengthen defenses. Standards document the program’s implementation, ensuring consistency and compliance.
Endpoints, Infrastructure – Users, Customers, 3rd Parties
Endpoints – Typically, the computers you or your team use.
Infrastructure – Other technology components used in your business.
Users – You and your people. Optionally, your customers and suppliers.
Customers – Consumers of your product and suppliers of any data you keep on them.
3rd Parties – Suppliers and other entities that you interact with.
Endpoints are critical assets that must be secured to prevent unauthorized access and data breaches. Infrastructure forms the backbone of the organization’s operations and requires robust protection to ensure availability and resilience. Users play a key role in cybersecurity, and their awareness and adherence to security practices and policies are essential. Customers trust the organization to safeguard their data, making security a fundamental responsibility. Third parties introduce additional risk, requiring vetting and continuous monitoring to ensure they meet security standards.
Compliance, Audit, Regulators
Maintaining evidence of the program’s effectiveness. Activities and documentation about the state of the program to show its strengths and areas for improvement. Any legal or regulatory requirements your business must meet.
Compliance ensures adherence to security standards and legal requirements. Audits verify controls and identify gaps for improvement. Regulators set expectations, making compliance essential for risk management and trust.
Assessment, Investment
Looking at the state of the program, its value, and budgeting maintenance, monitoring, and improvements.
Assessment identifies risks and gaps, guiding security improvements. Investment ensures the resources needed to strengthen defenses and resilience.
Governance
Documentation is how the program functions. Find a safe place for a set of documents. Keep it simple to start. Then keep it simple.
The level of detail and structure should match the organization’s needs, culture, and appetite.