Executives commonly ask, "How well are we protected, and what should we be doing to improve our program?" A recent security-related event inside an organization or a heightened awareness of security in general can prompt this question. Regardless of the reasons for starting a formal program, you should follow a structured methodology to guide your program. Although this is true in any critical business process, it's especially important in information security. By following a structured methodology, you can obtain results that are more predictable.
A structured methodology is similar to a therapy regimen prescribed by your doctor when recovering from an illness or accident. In this case, the illness might be a non-existent or weak information security program, and an accident might equate to an information security incident.
You should first step back and determine the business objectives that you want to support with your information security program. Evaluate the effectiveness of your existing program and determine where you would like it to be in the future. Aligning your security policies closely with your business strategy enables your company to achieve its objectives without hindrance because your staff is less likely to circumvent security measures that seriously impede them from achieving your core business goals.
The next step is the gap analysis -- comparing where you are to where you want to be and examining the alternative methods to achieving those objectives. The investment you are willing to make in your program will determine its extent and the time necessary to put it in place. Again, keep in mind that this is a continuous process and you will need to update your information security program as your business environment changes.
Read the full chapter.
This was first published in April 2005