IT Security Management with Surveys: Case Study

Posted by Ruth Reinicke on September 1, 2016

Regular IT security audit in the finance industry


Regular IT security audit in the finance industry
In the second article in our series on the use of surveys for IT Security, we are looking at a real-life case study. The company in our case study, which operates internationally in the finance sector, had followed an elaborate and work-intensive IT security process in the past. The data required for the regularly created IT security audit was manually entered in Excel sheets from several source systems, sent to various experts via email, collected again, and finally consolidated into a report by hand. This process – and the work associated with it – was used for hundreds of applications. Due to the long response times and great manual effort, weeks would often pass between the survey and the analysis. The result: Information that functioned as the foundation for the company's internal compliance audits and IT security information for external interest groups was often several weeks old by the time it was used.

By introducing the EA solution LeanIX, the process of collecting and documenting the data relevant for the audit was greatly simplified. LeanIX offers an integrated survey workflow that enables quick and simple surveys about applications and other fact sheets. It offers the advantage that IT security surveys are always based on current data. It is easy to filter out the relevant applications through an integration with the LeanIX inventory: For example, all applications that use customer or employee data. Intelligent mechanisms such as dependent questions or calculated fields provide the option of giving the surveys a dynamic design and easily visualizing the results.

The IT security survey is now performed in four simple steps:

1) Design of the IT security survey
As a first step, the information security manager creates the questionnaire. To depict the defined questions, the manager can use all conventional question and answer formats (text field, single choice, multiple-choice, etc.).

The employee can integrate the individual fact-sheet segments directly into the questionnaire. This eliminates the work of manually transferring the answers into the fact sheet when the survey is completed. It happens automatically.

To design the survey as intelligently as possible, the security manager uses dependent fields. Those are only displayed depending on the respondent’s answer to a previous question. It increases the clarity of the questionnaire and reduces the processing time since the respondents are only shown those questions that are relevant to them.

The LeanIX Add-on Survey enables intelligent surveys,  e.g. by inserting fact sheet segments and dependent questions
The LeanIX Add-on Survey enables intelligent surveys,
e.g. by inserting fact sheet segments and dependent questions

Fields can be calculated on the basis of the responses (e.g. values or a “no”).
This makes it possible to create risk scores, for example.


Another important function that is used during the company’s IT security update is “calculated fields”. These calculate a numerical value based on the provided answers and display this. That in turn enables the dynamic calculation of measured variables without having to export the original data into an external program.

2) Selection of recipients
To prepare the regular security update, the persons who will participate in the security update have to be determined. For this survey, the bank focuses on applications that use customer or employee data.

The affected applications can easily be filtered out, as can the group of recipients. All of the employees responsible for the applications – who fulfill the “responsible” role – receive the survey.

 

The fact sheets and recipients that are relevant for the survey can be filtered easily.
The fact sheets and recipients that are relevant for the survey can be filtered easily.


3) Completing the survey
Now all of the respondents who were selected at the beginning receive the corresponding invitation via email. They can start responding to the survey at any time and if they can’t finish the entire survey,  they may temporarily save their completed responses as a “draft”. The fact-sheet segments can be processed directly in the survey without having to access the fact sheet itself.

 

Convenient completion of the IT security survey by the appropriate person.



4) Analysis of the results
When the survey is completed, all results are shown in the fact sheet and any changes in the fact sheet are directly adopted. The qualitative information is implemented with the corresponding fact sheet in a structured format. For audit requests or other projects, the up-to-date information is thus always available with the relevant fact sheet. Additionally, the calculated fields can be visualized as well, e.g. as a risk score.

The bank selects a risk index from 1 to 100 for its survey, where 100 is the value with the highest risk. This is automatically calculated in each survey depending on the selected responses: How severe are the financial consequences in case of a system failure? Have employees formally confirmed their compliance with security guidelines? Are there regular training sessions, etc.?

 

After each survey process, all responses are stored with the fact sheet.
After each survey process, all responses are stored with the fact sheet.

To understand how IT security develops over time and whether there are improvements, the risk score is depicted in a LeanIX metric. By integrating the survey information with the metrics add-on, it is easy to visualize, aggregate, and analyze the data.
 
Depiction of the risk score in a LeanIX metric
Depiction of the risk score in a LeanIX metric

 

In our next post, we'll be looking at how to use surveys for effective IT security management. Stay tuned or download our white paper now to learn more details about how to use LeanIX Survey.

IT security management with enterprise architecture