Steps in the information security program life cycle

This is the third article in the Information Security Governance Guide.

A information security program is the set of controls that an organization must govern. It is important to understand that a security program has a continuous life cycle that should be constantly evaluated and improved upon otherwise inconsistent efforts open the organization to increased risk.

There are different ways of describing a life cycle of any process. We will use the following steps:

• Plan and organize
• Implement
• Operate and maintain
• Monitor and evaluate

• Written policies and procedures that are not mapped to and supported by security activities
• Severe disconnect and confusion between the different individuals throughout the organization attempting to protect company assets
• No way of assessing progress and ROI of spending and resource allocation
• No way of fully understanding the security program deficiencies and having a standardized way of improving upon the deficiencies
• No assurance of compliance to regulations, laws or policies
• Relying fully on technology as all security solutions
• Patchwork of point solutions and no holistic enterprise solution

More on security governance In this tip, Michael Cobb explains how to keep a network security strategy aligned with its business goals. Visit our resource center for news, tips and expert advice on information security governance.

Without applying a life cycle approach to a information security program and the security management that maintains the program, an organization is doomed to treating security as a project. Anything that is treated as a project has a start and stop date, and at the stop date everyone disperses to other projects. Many organizations have good intentions in their security program kickoffs, but do not implement the proper structure to ensure that security management is an on-going and continually improving process. The result is a lot of starts and stops, and repetitive work that costs more than it should with diminishing results.

The main components of each phase are outlined below:

• Plan and organize
  • Establish management commitment
  • Establish oversight committee
  • Assess business drivers
  • Carry out a threat profile on the organization
  • Carry out a risk assessment
  • Develop security architectures at an organizational, application, network and component level
  • Identify solutions per architecture level
  • Obtain management approval to move forward
• Implement
  • Assign roles and responsibilities
  • Develop and implement security policies, procedures, standards, baselines and guidelines
  • Identify sensitive data at rest and in transit
  • Implement programs
    • Asset identification and management
    • Risk management
    • Vulnerability management
    • Compliance
    • Identity management and access control
    • Change control
    • Software development life cycle
    • Business continuity planning
    • Awareness and training
    • Physical security
    • Incident response
  • Implement solutions per program
  • Develop auditing and monitoring solutions per program
  • Establish goals and metrics per program
• Operate and Maintain
  • Follow procedures to ensure that all baselines are met in each implemented program
  • Carry out internal and external audits
  • Carry out tasks outlined per program
  • Manage service level agreements per program
• Monitor and evaluate
  • Review logs, audit results, collected metric values and SLAs per program
  • Assess goal accomplishments per program
  • Carry out quarterly meetings with steering committee
  • Develop improvement steps and integrate into the plan and organize phase

Information Security Governance Guide
  What is information security governance?
  Key elements when building an information security program
  Steps in the information security program life cycle
  Developing an information security program using SABSA, ISO 17799

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Guide to passing PCI's five toughest requirements Creating and Managing Information Security Policies Security Awareness Training Essential Part of Infosec Program How to lock down instant messaging in the enterprise Worst practices: Bad security incidents to avoid Thompson calls for marriage of data and security management Companies Collecting Too Much Customer Data Increase Exposure Interview: Arizona CISO David VanderNaalt Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Creating and Managing Information Security Policies Research Creating a Security Culture Security Awareness Training Essential Part of Infosec Program Societe Generale bolsters internal controls, discovers second insider Companies still monitoring email manually, survey finds Trading firms rethink risk strategy Security, Privacy Offices Must Combine Resources Building information risk management frameworks: Developing controls for people, processes and technology Security Metrics: Replacing Fear, Uncertainty, and Doubt Mergers and acquisitions: Building up security after an M&A Do personal issues within a company pose a risk to the enterprise? What is the best organizational model for an IT security staff? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.