By producing a clearly communicated Operational Requirement (OR) it can act as the framework that guides the counter-measures that can be implemented in response to any identified security risks.
Without an Operational Requirement in place it can be difficult to deliver long term, strategic measures in the most cost effective manner. Organisations become prone to ‘knee jerk’ reactions to security incidents and find it more difficult to direct investment to the most appropriate area.
The Operational Requirement provides a way of reminding the Business why certain decisions have been taken along with mapping out the path required to address particular threats and risks and counter known vulnerabilities.
The Operational Requirement is generally developed at 2 levels. Level 1 (OR1) provides the higher level strategic direction and Level 2 (OR2), the lower, more specific tactical measures. A Corporation might publish the OR1 to define it’s overriding Corporate approach to its security provision and then develop OR2’s for each individual security measure – differentiating for example between a manufacturing plant, a distribution warehouse and the Corporate Headquarters.
Conducting the Operational Requirement process will allow identification of ‘gaps’ in the current security measures and articulate the particular security needs of the business.
It will allow a structured and considered process to be undertaken and help avoid reactive purchases in response to particular incidents.