Building an Information Security Program for the Enterprise

It is critical for all IT-dependent organizations is to establish a robust and comprehensive InfoSec program at the earliest opportunity. One has only to keep an eye on the news to understand that a well-conceived information security program can make the difference between an organization remaining viable or ending up on the proverbial scrap heap of history. Not only can a single security incident shake an organization to its foundations, but the lack of a proper program can, and will, result in lost business opportunities. Here I’ll present, at the highest level, the steps required to establish an effective InfoSec program:

Meet with Senior Mgmt to Form a Security Committee and Identify Strategic Goals

All security exists at the strategic and the tactical level. The strategic level is where business needs are mapped to security initiatives, and where timelines are defined. In the modern organization, strategic information security involves the company’s security lead meeting periodically with officers of the company (or possibly the appointees of those officers) to define broad initiatives and priorities. Topics considered should include:

  • Memebers of the Security Committee
  • Identifying Customer Market Sectors with Special InfoSec Needs (e.g. HIPAA, FedRamp, PCI-DSS, etc.).
  • Standards conformance and Audit Preparations
  • Compliance, and the resonsibilities of compliance vs secrity teams
  • Importance of Privacy Issues
  • High Level Security Roadmap and Deadlines
  • Organization of the InfoSec Organization (e.g. AppSec, vs. SecOps)
  • Use of Virtual vs. Dedicated Teams
  • Schedule for Furture Security Committee Meetings (e.g. semi-annual)

Organize the Security Team

Once the Security Team characteristics have been defined by the Security Committee, the team members should be pulled together. This may involve pulling in existing personnel or hiring new personnel. Once the team has been established, then ongoing, regularly-scheduled meetings should be scheduled. Topics to be covered in those meetings should include:

  • Identifying a ticketing system to use. The ticketing system should allow for prioritization of tickets, the definition of custom ticket types, the ability to organize tickets into sub-tickets, the customization of ticket status and the definition of ticket type-specific workflows
  • Identifying IAM architecture and solutions for centralized user access management
  • Scheduling of Periodic User Access Reviews
  • Identifying Needed Policy, Process and Procedures Documents
  • Defining Roles and Responsibilities
  • Dealing with Internal Support Requests
  • Review of the Security Committee Security Roadmap
  • Identifying Initial Security Tasks and Initiatives
  • Creation of a SecOps Calendar
  • Creating of a SecOps Email Group
  • Identifying any Needed Tools and Infrastructure
  • Selecting an Existing Security Framework to Conform To
  • Setting up a Shared File System
  • Setting up a SecOps ChatOps Channel
  • Identification and Assignment of Initial Tasks

Identify Documentation Tools and Standards

TBD

Create Needed Documentation

TBD

Fine Tune Roles and Responsibilies and “Duty Rotations”

TBD

Implement Security Controls

The next step is to implement a set of security controls that address the identified risks. These controls can include technical measures (e.g., firewalls, intrusion detection systems, encryption) as well as administrative and physical controls (e.g., access management, security awareness training, physical security measures).

Effective information security is an ongoing process, not a one-time event. Implement continuous monitoring and improvement mechanisms to identify and address emerging threats, vulnerabilities, and changes in the organization’s risk profile. This may include regular security assessments, vulnerability scanning, and security awareness training for employees.

Establish Incident Response and Business Continuity Plans

It’s essential to have well-defined incident response and business continuity plans in place. These plans should outline the steps to be taken in the event of a security incident, including incident detection, containment, eradication, and recovery. Additionally, the business continuity plan should ensure that the organization can maintain critical operations and recover from disruptions.

Foster a Security-Conscious Culture

Ultimately, the success of an information security program depends on the engagement and commitment of the entire organization. Foster a security-conscious culture by promoting security awareness, encouraging employee participation in security initiatives, and ensuring that security is integrated into all aspects of the organization’s operations.

By following the steps outlined here, you can build a comprehensive and effective information security program that protects the enterprise’s critical assets, ensures compliance, and supports the organization’s overall business objectives.