The
BDF 4Tier is cyclical. As you go up through the tiers they build on each other and
then return again.
Here’s another attempt to clarify the focus of each tier and
how they relate to each other.
Tasks are the flesh and bones that make the tactics work. They are the things that are done at the user level and can be thought of as the operations aspects derived from the chosen tactics.
If for example a company decides on training staff, they then have to devise tasks to accomplish that. Is it going to be online, posters, books, mentors etc.? In here the PDCA cycle can be helpful and when the tactic is audited, the tasks can be looked at to see where improvements can be made.
Tactics describe the methods chosen to deal with a threat. Let's look at the big divide of training v technology. The choice of either or a mix of is a tactic. There are age old arguments for all choices. Whichever is chosen that is the tactic the company has decided to use against InfoSec threats.
An online training delivery might prove to be too cumbersome to access, too boring, too infrequent, has a poor UX... It is an opportunity to improve a task that supports a tactic. In the end you will get a better online training facility but your tactic of using training remains the same.
Habits are about making the tasks as automatic as possible for human and / or machine. It is only by understanding what tasks are used can you look closely at them to decide which way you can make them more efficient for users or if to automate via a machine. This step is important because it is where the InfoSec function in a company can 'sign off' activities that are already embedded and not have to live a life of rinse / repeat / rinse / repeat firefighting.
Office documents give the ability to save and encrypt. To do this is a multi-step process and requires the user to create and record a password. Scripts can be written to automate this process and perhaps generate a strong random password users can exchange in order to share documents securely.
Culture comes in when the other three tiers are built into the running of the company and InfoSec now has the time to devote to business strategy. At this level the company can decide its approach to market and how it can use IT to its advantage. Without the other three, there is no bandwidth for InfoSec to add value to these types of decisions and both InfoSec and the company lose out and remain stuck at firefighting to protect information and underutilising the evolving capabilities of IT.
It is culture that will set the cycle going again because at that level it will be decided what tactics will be used to protect information and the company's risk appetite.
The laws and standards go across all the tiers but while they can provide limits and set boundaries, they should not be the aspiration but rather the base. For example, it is possible to build an exceedingly secure system that will not match some of the standards and laws.
Many companies rest on the standards and laws and as technology changes they end up becoming insecure, stymied by the recommendations and are slow to exploit IT.
Comments