Key elements when building an information security program

This is the second article in SearchSecurity.com's Information Security Governance Guide.

For there to be security governance, there must be something to govern. The collection of the controls that an organization needs to have in place is collectively referred to as a security program.

In reality it may be easier to say what is not in a security program than what is in one. Every organization's security program is different, because each organization has its own threats, risks, business drivers and compliance requirements. But even though every security program is different, they are usually made up of the same elements, as shown in the following illustration.

Most organizations do not fully understand what a security program is, what goes into it and how t...

BROWSE BY TAG Risk Management Strategies,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Business Management: Security Support and Executive Communications,   VIEW ALL TAGS

RELATED CONTENT Risk Management Strategies Cloud computing in 2010: Be ready for risk management challenges How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Business Management: Security Support and Executive Communications Schneier-Ranum face-off, part 3: Compliance and security Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities IT business justification to limit network access RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

o build it. We can look to the industry's best practices for some guidance. The guideline most commonly used around the world to build security programs is ISO 17799, which was derived from the de facto standard British Standard 7799 (BS 7799). It is an internationally recognized information security management standard that provides high-level, conceptual recommendations on enterprise security. It consists of two parts. Part 1 is an implementation guide with guidelines on how to build a comprehensive information security infrastructure. Part 2 is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. The document is broken down into the following components, which should comprise a security program:

• Information security policy for the organization -- Map of business objectives to security, management's support, security goals and responsibilities.
• Organizational security -- Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing and independent review.
• Asset classification and control -- Develop a security infrastructure to protect organizational assets through accountability and inventory, classification and handling procedures.
• Personnel security -- Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations.
• Physical and environmental security -- Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control and protecting equipment.
• Communications and operations management -- Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling.
• Access control -- Control access to assets based on business requirements, identity management, authentication methods and monitoring.
• System development and maintenance -- Implement security in all phases of a system's lifetime through development, implementation, maintenance and disposal.
• Business continuity management -- Counter disruptions of normal operations by using continuity planning and testing.
• Compliance -- Comply with regulatory, contractual and statutory requirements by using technical controls, system audits and legal awareness.

A security program should use a top-down approach, meaning that the initiation, support and direction come from top management and work their way through middle management, and then to staff members. In contrast, a bottom-up approach refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction. A bottom-up approach is always less effective, not broad enough and doomed to fail. It is also usually fully focused on technology, and many of the security management controls are missing. A top-down approach makes sure that the people actually responsible for protecting the company's assets (senior management) are driving the program.

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.