Five Steps to Jump Start Your Information Security Program

Data breaches are becoming larger, more frequent and costly as shown by the Verizon Data Breach Investigations Report (DBIR) and many other reports from different security vendors. As the latest disclosure of data breach at Target highlights, management of an information security program is a critical business function for all organization. Security professionals agree that a well-designed and sound information security program not only helps decrease the probability of data breaches but also provides a better response if an incident does happen.

While developing an information security management program for the corporate environment or for the Cloud, you can focus your attention on following major components or domains. Most of these are also recommended by information security organizations like ISACA and ISC2 in their security certifications as well as standards like ISO 27000 series.

Step One: Establish Information Security Governance

It is almost impossible to successfully manage an information security program without proper governance structure. The governance will ensure that security program is aligned with the business objectives, information risk is effectively managed, resources are properly utilized and coordination exists among stakeholders inside your organization.

When thinking about governance, at minimum start with establishing a security steering committee comprising of business and technology stakeholders. Establishing roles and a reporting structure also helps in governance.

Step Two: Create Information Security Strategy

An information security strategy that aligns with business goals is critical to success of the program. All parts of information security strategy must map to one or more business goals. Once the strategy is established and approved by senior management, create a roadmap for 2 to 3 years to implement the strategy.

Step Three: Risk and Compliance Management

All organizations must create a risk management process within the information security program. In addition to general security risk management, many organizations have to comply with some government or industry standard. Compliance is an essential part of overall risk management. The Risk and Compliance management must include a risk assessment methodology, and management of risk at all levels of people, processes, and technology.

In many cases, an education and awareness program provides the best return on investment for managing risk.

Step Four: Security Operations

Day to day operations include managing security technologies, log reviews, change control process, ID administration, patching and so on. The Cloud security program should include these functions and integrate these functions in an overall corporate information security program.

Using metrics is essential to measure the effectiveness of security operations and to make tweaks for improvements. Metrics may be different for each organization based upon business model and governance needs.

Step Five: Incident Response Management

Last but not the least, no organization is immune to security incidents. A comprehensive and tested incident response plan is essential for your information risk management program. It is prudent to establish processes for first responders, forensic investigation, evidence preservation, communication, and business continuity. In many cases, an organization may not have in-house resources for forensic investigation. A pre-established contract with an external forensic firm can be very helpful in the case of a major incident.

Conclusions

In conclusion, an established information security management program is essential to manage information risk, operations, compliances, and incident response. The program should enable the business through proper governance, should control cost of security incidents and establish a culture of information security in any organization.