A 13-point plan for starting a strategic security group

Stan Gatewood, CISO of the University of Georgia, suggests the following steps to set up a newor newly strategicinformation security program.

1. Identify executive leadership. An executive sponsor needs to champion the new strategic security program.

2. Select a point person. The CISO or another information security leader should manage day-to-day activities.

3. Define and prioritize goals. Try to tie business objectives to security objectives.

4. Establish a review mechanism. A process review board with executives from information technology, physical security, human resources, legal, audit and information security will evaluate and approve security initiatives.

5. Assess the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education.

6. Establish (or re-establish) the security organization. This group should focus on information security, not just the narrower confines of information technology security.

7. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.

8. Assemble implementation teams. Pull together cross-functional teams made up of technical and nontechnical employees to hammer out plans for new policies, procedures, initiatives and tools.

9. Have the executive security review board endorse the plans. This group should consider budget, timing and prioritization.

10. Review the technical feasibility. This should be done by a technical security review board with representatives from the office of the CIO and CTO, plus operations staff, production services and support staff.

11. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.

12. Put everyone to work on the strategic plan. Everyone in the information security department should be able to introduce strategic security objectives and explain how projects are contributing to a mutual goal.

13. Measure outcomes with metrics. IT security metrics must be based on goals and objectives to realize true decision making and improved performance.