Steps in the information security program life cycle

This is the third article in the Information Security Governance Guide.

A information security program is the set of controls that an organization must govern. It is important to understand that a security program has a continuous life cycle that should be constantly evaluated and improved upon otherwise inconsistent efforts open the organization to increased risk.

There are different ways of describing a life cycle of any process. We will use the following steps:

• Plan and organize
• Implement
• Operate and maintain
• Monitor and evaluate

• Written policies and procedures that are not mapped to and supported by security activities
• Severe disconnect and confusion between the different individuals throughout the organization attempting to protect company assets
• No way of assessing progress and ROI of spending and resource allocation
• No way of fully understanding the security program deficiencies and having a standardized way of improving upon the deficiencies
• No assurance of compliance to regulations, laws or policies
• Relying fully on technology as all security solutions
• Patchwork of point solutions and no holistic enterprise solution

Without applying a life cycle approach to a information security program and the security management that maintains the program, an organization is doomed to treating security as a project. Anything that is treated as a project has a start and stop date, and at the stop date everyone disperses to other projects. Many organizations hav...

The main components of each phase are outlined below:

• Plan and organize
  • Establish management commitment
  • Establish oversight committee
  • Assess business drivers
  • Carry out a threat profile on the organization
  • Carry out a risk assessment
  • Develop security architectures at an organizational, application, network and component level
  • Identify solutions per architecture level
  • Obtain management approval to move forward
• Implement
  • Assign roles and responsibilities
  • Develop and implement security policies, procedures, standards, baselines and guidelines
  • Identify sensitive data at rest and in transit
  • Implement programs
    • Asset identification and management
    • Risk management
    • Vulnerability management
    • Compliance
    • Identity management and access control
    • Change control
    • Software development life cycle
    • Business continuity planning
    • Awareness and training
    • Physical security
    • Incident response
  • Implement solutions per program
  • Develop auditing and monitoring solutions per program
  • Establish goals and metrics per program
• Operate and Maintain
  • Follow procedures to ensure that all baselines are met in each implemented program
  • Carry out internal and external audits
  • Carry out tasks outlined per program
  • Manage service level agreements per program
• Monitor and evaluate
  • Review logs, audit results, collected metric values and SLAs per program
  • Assess goal accomplishments per program
  • Carry out quarterly meetings with steering committee
  • Develop improvement steps and integrate into the plan and organize phase

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Information Security Management,   Information Security Policies, Procedures and Guidelines,   Security Awareness Training and Internal Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.