The
BDF 4Tier is cyclical. As you go up through the tiers they build on each other and
then return again.
Here’s another attempt to clarify the focus of each tier and
how they relate to each other.
Tasks are the flesh and bones that
make the tactics work. They are the things that are done at the user level and
can be thought of as the operations aspects derived from the chosen tactics.
If
for example a company decides on training staff, they then have to devise tasks
to accomplish that. Is it going to be online, posters, books, mentors etc.? In
here the PDCA cycle can be helpful and when the tactic is audited, the tasks
can be looked at to see where improvements can be made.
Tactics describe the methods chosen to
deal with a threat. Let's look at the big divide of training v
technology. The choice of either or a mix of is a tactic. There are age old
arguments for all choices. Whichever is chosen that is the tactic the company
has decided to use against InfoSec threats.
An
online training delivery might prove to be too cumbersome to access, too
boring, too infrequent, has a poor UX... It is an opportunity to improve a task
that supports a tactic. In the end you will get a better online training
facility but your tactic of using training remains the same.
Habits are about making the tasks as
automatic as possible for human and / or machine. It is only by understanding
what tasks are used can you look closely at them to decide which way you can
make them more efficient for users or if to automate via a machine. This step
is important because it is where the InfoSec function in a company can 'sign
off' activities that are already embedded and not have to live a life of rinse
/ repeat / rinse / repeat firefighting.
Office
documents give the ability to save and encrypt. To do this is a multi-step
process and requires the user to create and record a password. Scripts can be
written to automate this process and perhaps generate a strong random password
users can exchange in order to share documents securely.
Culture comes in when the other three
tiers are built into the running of the company and InfoSec now has the time to
devote to business strategy. At this level the company can decide its approach
to market and how it can use IT to its advantage. Without the other three,
there is no bandwidth for InfoSec to add value to these types of decisions and
both InfoSec and the company lose out and remain stuck at firefighting to
protect information and underutilising the evolving capabilities of IT.
It
is culture that will set the cycle going again because at that level it will be
decided what tactics will be used to protect information and the company's risk
appetite.
The
laws and standards go across all the tiers but while they can provide limits
and set boundaries, they should not be the aspiration but rather the base. For
example, it is possible to build an exceedingly secure system that will not match
some of the standards and laws.
Many
companies rest on the standards and laws and as technology changes they end up becoming
insecure, stymied by the recommendations and are slow to exploit IT.