Opinion

Information Security Management: The Basics

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization

By Micki Krause (et al)

Risks. Information security governance is operational risk management. Indeed, implementing an information security governance program starts with enterprise management identifying the full scope and extent of the real risks that the enterprise is up against and creating processes for managing those risks.

It's important to understand that risk assessment is not an exact science; it simply makes it possible to decide which risks to mitigate, which to assign and which to accept.

We must keep in mind, though, that operational security risks are just some of the many issues on the CEO's mind, making it imperative to put security risk into the perspective of overall risk. In order to do this well, you need a methodology for assessing and prioritizing security risk. This methodology need not be complex or quantitative. It does, however, have to be consistent, repeatable and agreed upon by all players.

2. Implementation
Hire a qualified professional. The best-qualified professional is one that can display a particular set of competencies and skills. Above all, effective security leadership requires leadership skills and business knowledge. In the end, security leaders are good business leaders.

Hew to business drivers. It can't be said enough that business and security must be aligned and that successful security functions are driven by business requirements. Anyone who institutionalizes a security program that is focused on business drivers can rest assured that they've built their program on a strong foundation.

Develop and sell a strategy. One way to get people frustrated and impede security from gaining momentum is to launch a bunch of "one-off" security projects, without purpose or direction. Success comes from developing, implementing and selling a strategy for risk management using the results of a thorough risk assessment.

A concentrated focus on mitigating risks deemed as top priorities should be the center point of the strategy. Strategy development should encompass eight key steps: identifying and prioritizing threats; identifying weaknesses; tailoring the strategy to your company's risk profile; establishing ownership in the plan; implementing realistic timeframes; considering small, phased steps; reviewing the strategy against industry-accepted standards; and demonstrating and measuring progress.

If the business understands that security can help, the sell is not as difficult. Thankfully, businesses are becoming more aware of threats to sensitive corporate information, and they are engaging security officers in their quest to secure it.

Policy, standards and processes. These are the three tenets around which an effective security program is founded. It's incumbent on the organization to help personnel make the right decisions by providing formally documented guidelines and policies that are also clear and concise.

• Email
• Print
• Comments
• Digg This
• SlashDot

• How to Build a Security Management Team
• Harland Clarke Rechecks Risk Management
• Wireless Security: The Basics
• Network Security: The Basics