Home » Security Leadership » Exec. Communication

Opinion

Information Security Management: The Basics

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization

By Micki Krause (et al)

Page 3

As important as policies are, however, they are only as good as their relevance to the management of operational risk. Strong security programs don't implement specific controls because it is policy; rather, they implement the control because it is the direction of the executive team. The policy serves as the method of communicating that message.

3. Monitor/measurement

Measure effectiveness. Security policies are not worth the paper they're written on unless they are enforced. Policy enforcement requires that everyone in the company knows the requirements and understands their role in complying with those requirements. In addition, compliance must be routinely monitored, and non-compliance must result in corrective action. Simply put, there's no reasonable assurance of the effectiveness of security and controls unless they are monitored and measured.

Establishing a security program that meets the needs of your organization is a daunting but doable task. By following a structured approach that involves assessment, implementation and monitoring - and builds on a foundation of business-oriented organizational, operational and managerial concerns - any enterprise will have the tools it needs to succeed.

Micki Krause is co-editor (with Harold Tipton) of the Information Security Management Handbook, Sixth Edition (Isc2 Press). This article draws from chapters contributed by Steve Skolochenko, Lynn McNulty, Dr. Don Saracco, Harry DeMaio, Joyce Brocaglia, Todd Fitzgerald, Rolf Moulton and Robert Coles, Bill Murray, James Christiansen, Michael Corby and Vaune Carr, Billi Lee, Peter Browne and Steve Katz, Randy Sanovic, Howard Schmidt, Rebecca Herold, and Mark Rasch.