An information security program consists of a set of activities, projects and initiatives to be implemented in a coordinated manner, in order to meet business objectives and realize the company’s information security strategy.
Outlined below are the steps to follow when defining an information security program.
First it is necessary to determine the security results expected to support the company’s business operations which can be defined according to security objectives or the desired state in terms of security.
It is then necessary to determine the current state of information security. Thus, a risk assessment in conjunction with a business impact assessment or security audits will provide a clear understanding of the current security situation.
Subsequently, a gap analysis determines the difference between the current state and the desired state and facilitates the development of a security strategy aimed at achieving the desired state. A roadmap can be produced to facilitate the development of the security program that will realize this strategy. This roadmap generally includes the people, the processes, the technology and any other required resources. It is used to describe the approach to be followed and the steps that should be taken to execute the strategy. The next step is to effectively manage the security program in order to achieve the objectives and meet the expected results.
The security program is designed to provide an appropriate level of availability, integrity and confidentiality of company information. This program requires the involvement of various resources, but the commitment and the formal support of the organization’s management are absolutely necessary.
Here are some key elements that should be included in a security program:
- Policies, standards, procedures and security guidelines are the principal tools for guiding the implementation and management of such a program. These can be based on recognized standards, such as COBIT, ISO 27002, ITIL, etc.
- A security architecture (including people, processes and technology) to provide a framework for the effective management of the complexity that can arise during the integration of various security elements and projects.
- The classification of information assets to highlight their criticality and sensitivity.
- An appropriate risk management process which includes risk identification, evaluation and treatment, and a business impact analysis (BIA).
- An effective response to incidents and emergencies.
- An information security awareness and training program for all users.
- The involvement of a security team in the development process (Software Development Life Cycle or SDLC) of projects, as well as with change management.
- The definition and monitoring of metrics to assess the achievement of security objectives.
The information security program as a whole must have a clear assignment of roles and responsibilities in relation to security.
It should be noted that information security awareness and training are critical elements of the strategy, because users are often the weakest security link. It is therefore essential that they know and understand the policies, standards and procedures in order to adopt secure practices and be vigilant against various threats.
An awareness and training program is now required by various laws and regulations. However, evidence suggests that employees, in many organizations, are still not sufficiently aware. Various studies have demonstrated that security awareness and training provide more effective control in improving overall security.
Please consult the following article on the ISACA security program: