0

In IT Security, it is claimed that good security practice is made up of technology, process and people.

But how do you dis-entangle "Process" from "People" because people implement the process?

schroeder
  • 123,438
  • 55
  • 284
  • 319
daikin
  • 999
  • 1
  • 6
  • 8
  • 2
    People also use tools - wait, does that mean IT security is not technical at all? Is it all just *people*?? – schroeder Jul 23 '18 at 19:40

3 Answers3

5

But how do you dis-entangle "Process" from "People" because people implement the process?

People come and go - but if there is a good Process, and reasonable documentation of that process, then the system will continue to work smoothly.

Think of Process as the road, and people as the cars. The road helps ensure that cars can go from source to destination, and (generally) avoid collisions, and have signs all along the way to direct them. As long as the road is there, the cars will keep moving; take away the road, and you've got a lot of cars going nowhere.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • So could you just say that "Process" is another word for "IT Security Policy"? – daikin Jul 23 '18 at 20:21
  • 2
    @daikin not really; IT Security Policy tells you *what* you may and may not do. Process tells you *how* to do something - the systems to use, the steps to take, notifications that should be made, where to get inputs, what to do with deliverables. – gowenfawr Jul 23 '18 at 20:27
  • ok thanks, so does that make humans policy-following drones? – daikin Jul 23 '18 at 20:36
  • 2
    @daikin of course not! Good Process can create an organized workforce that know what to do even through normal (and sometimes abnormal!) employee turnover. Drones do what they're told to without question - Process answers the questions that help people do what they need to do. – gowenfawr Jul 23 '18 at 20:49
  • but what something like a really convincing phishing email or an IT security situation which is not documented? – daikin Jul 23 '18 at 21:54
  • 2
    @daikin it's unlikely there's a Process for *everything* - and that's where things like People (and especially Training People) steps up. But even things like a security incident response benefit from having Process - the actual incident may vary widely, but having a plan, having designated contacts, having reporting expectations laid out ahead of time helps deal with it. People can be creative more efficiently when they don't have to make it *all* up as they go along. – gowenfawr Jul 23 '18 at 21:58
2

People are trained and gain experience in processes (and tools), which adds value.

People also think and imagine beyond the processes and tools to improve and evolve the way risks are assessed and treated. And they improve the processes and tools.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

The weakest link in security is People, why we say like that is the mistakes (intentional and unintentional) from people are immense.

The People here could be the security professionals who implements policies, who follows the policies, who audit the practices, etc.

Answer to your question, "But how do you dis-entangle "Process" from "People" because people implement the process?" is processes are not defined based on people. The Processes follow best practices in definition of process, implementation and Monitoring (control).

The person who defines process may not be the one follows it, people who defines a standard may not be the one who follows it, and the one who auditing the practice could be another one. This is how the dis-entangle of people from process is ensured.

Sayan
  • 2,033
  • 1
  • 11
  • 21