Security Level Management (SLM) is a quality assurance system for IT security. The aim is to represent the security status of each individual system in the network transparently at all times. This transforms IT security into a measurable and manageable factor - And improves quality assurance considerably as a result, while minimising the residual risk. SLM supports the PCI DSS requirements 5 and 6 as well as the check phase performed by the information security management system (ISMS) in accordance with ISO/IEC 27001.
IT Security can only be improved continuously if the actual performance of the security systems in the network can be viewed at all times and compared with the target specifications. Security level management is a strategic management system that allows for just this: with aims, measures, revisions, and actions to be derived in the form of a management control cycle.
Security Level Management and systems for security information and event management (SIEM) need to be differentiated between. The main purpose of the latter is to support IT operations in pinpointing anomalies in the network, which are then reported by evaluating and comparing log data.
SLM is oriented towards the phases of the Deming Plan-Do-Check-Act Cycle. The steps are as follows:
Defining the security level (Plan):
During the Plan phase, concrete targets for individual security systems at the company are derived from abstract security policies. A security level consists of a collection of measurable limiting and threshold values. Operative aims like "the anti-virus systems at our German sites need to be at the newest level no later than four hours after the appearance of the current signature" are derived from parent security policies like "our virus protection system needs to be state-of -the-art", or "our employees should be able to work without being interrupted."
Collecting and analysing data (Do):
The information on the current status of the systems is gleaned from the log file and status reports provided by individual anti-virus, anti-spyware, or anti-spam consoles. The data is collected fully automatically and data integrity is guaranteed.
Checking the security level (Check):
SLM prescribes continual reconciliation of the security level defined against the current values measured. Automated real-time reconciliation supplies the company with a constantly up-to-date status report to assess the security situation across all locations.
Adjusting the security structure (Act):
The rolling observation of the security level allows weak spots in the network to be pinpointed early on. Proactive adjustments in the security systems can be made on this basis.
Instruments for security analysis, such as AMPEG Security Lighthouse, which function across all applications, irrespective of the vendor, come into play, especially in the "Do" and "Check" phases of the SLM cycle. The following enterprise IT security tasks shall be fulfilled:
- Creating a central, standardised and vendor-independent database from the relevant security information specific to the security systems employed.
- Constantly comparing target and actual values.
- Visualising the current security status in traffic light colours like the ones in the geographical overview on the AMPEG Security Lighthouse Security Information Map.
- Checking the current security status constantly to ensure that the end points in the corporate network are adequately secured against current threats and weak spots.
- Supporting processes for continually and efficiently improving electronic security through focused, cross-locational, long-term analyses of the security information.
AMPEG Security Lighthouse is a vendor-independent tool for the overall Monitoring, Reporting and the Security Level Management.
Matthias Helmke, Head of Infrastructure at KWS, draws attention to another point: “If auditors want to check our security level, we can offer them an immediate and incredibly concrete way of doing so. We can also prepare reports quickly for specific target groups. All this dramatically simplifies audits.”
“We are now able to show our improvements with facts and figures – we have measurements and analyses that we can pass on to management. What once was a vague gut feeling about IT security has now become specific, quantitative knowledge.”
Michael Schätzke, former Security Officer, Landesbetrieb für Statistik und Kommunikationstechnologie Niedersachsen (Lower Saxony Institute for Statistics and Communication Technology)