Comparison of Results
Information security is not a "one size fits all" proposition. Each organization has a unique set of risks and must create unique solution strategies to mitigate those risks. Thus, it's not surprising that the improvement areas identified by the hospital's and professional society's analysis teams were quite different.
The hospital had many security-related processes already in place; its improvement plan focused on improving those processes. For example, the hospital had a security training program, but that program was judged to be ineffective. The analysis team recommended that IT staff members receive training in the technologies that they support and that security awareness training be updated.
A second area of improvement was collaborative security management. The hospital's staff relied on informal and ad hoc procedures when working with its IT contracting organization. The analysis team suggested that the hospital's management define formal procedures for working with that organization.
The results of the OCTAVE Method showed several high-severity vulnerabilities in key infrastructure components. The contractor was responsible for conducting periodic vulnerability evaluations and reporting the results to the hospital's IT staff. However, there was a lack of coordination between the contractor and the IT staff members. In addition, the hospital's staff members assigned to manage vulnerabilities lacked sufficient skills to be effective. Thus, the recommendations included better procedures for working with the contractor, along with training and educational activities for the IT staff.
The final area of improvement was authentication and authorization. Policies and procedures existed in this area, but weren't followed. The analysis team recommended that hospital management enforce its policies and procedures in this area.
The hospital had a good foundation for security, which it could improve. By contrast, the professional society didn't have such a foundation. The society hadn't given much consideration to security over the years and had few security-related processes on which to build. Its improvement plan focused on putting such processes in place.
Vulnerability management was judged to be a top priority for the society, primarily due to the nature of the organization's top risks and the lack of organizational skills in this area. Because there were no existing procedures in this area, the organization's managers had to decide how to implement this improvement. Should they develop the capability within the organization? Or should they contract with a third party? They intended to answer these questions after the evaluation.
The lack of contingency plans and inadequate physical security procedures were the other areas of improvement. In both cases, organizational personnel were assigned to study the issues and create plans. Unfortunately, the organization had few existing procedures in either area that could be leveraged.
The path toward improvement was very different for the two organizations. By analyzing current security-related processes in relation to its highest-impact risks, each analysis team identified key areas that needed to be addressed, defining a unique path toward improving the organization's security posture.