Key elements when building an information security program

This is the second article in SearchSecurity.com's Information Security Governance Guide.

For there to be security governance, there must be something to govern. The collection of the controls that an organization needs to have in place is collectively referred to as a security program.

In reality it may be easier to say what is not in a security program than what is in one. Every organization's security program is different, because each organization has its own threats, risks, business drivers and compliance requirements. But even though every security program is different, they are usually made up of the same elements, as shown in the following illustration.

Most organizations do not fully understand what a security program is, what goes into it and how to build it. We can look to the industry's best practices for some guidance. The guideline most commonly used around the world to build security programs is ISO 17799, which was derived from the de facto standard British Standard 7799 (BS 7799). It is an internationally recognized information security management standard that provides high-level, conceptual recommendations on enterprise security. It consists of two parts. Part 1 is an implementation guide with guidelines on how to build a comprehensive information security infrastructure. Part 2 is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. The document is broken down into the following components, which should comprise a security program:

• Information security policy for the organization -- Map of business objectives to security, management's support, security goals and responsibilities.
• Organizational security -- Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing and independent review.
• Asset classification and control -- Develop a security infrastructure to protect organizational assets through accountability and inventory, classification and handling procedures.
• Personnel security -- Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations.
• Physical and environmental security -- Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control and protecting equipment.
• Communications and operations management -- Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling.
• Access control -- Control access to assets based on business requirements, identity management, authentication methods and monitoring.
• System development and maintenance -- Implement security in all phases of a system's lifetime through development, implementation, maintenance and disposal.
• Business continuity management -- Counter disruptions of normal operations by using continuity planning and testing.
• Compliance -- Comply with regulatory, contractual and statutory requirements by using technical controls, system audits and legal awareness.

A security program should use a top-down approach, meaning that the initiation, support and direction come from top management and work their way through middle management, and then to staff members. In contrast, a bottom-up approach refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction. A bottom-up approach is always less effective, not broad enough and doomed to fail. It is also usually fully focused on technology, and many of the security management controls are missing. A top-down approach makes sure that the people actually responsible for protecting the company's assets (senior management) are driving the program.

Information Security Governance Guide
  What is information security governance?
  Key elements when building an security program
  Steps in the security program life cycle
  Developing an information security program using SABSA, ISO 17799

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Guide to passing PCI's five toughest requirements Creating and Managing Information Security Policies Security Awareness Training Essential Part of Infosec Program How to lock down instant messaging in the enterprise Worst practices: Bad security incidents to avoid Thompson calls for marriage of data and security management Companies Collecting Too Much Customer Data Increase Exposure Interview: Arizona CISO David VanderNaalt Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Creating and Managing Information Security Policies Research Management Support for Information Security Results Chain for Information Security and Assurance Information Security Blueprint Learn from NIST: Best practices in security program management CISOs adapt as compliance requires strategic thinking The New School of Information Security Security, Privacy Offices Must Combine Resources E-discovery management: How IT should interact with the legal team IT GRC: Combining disciplines for better enterprise security Security Wire Weekly: Shrinking IT security budgets Are there security management products that can track compliance objectives? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.