This is the second article in SearchSecurity.com's Information Security Governance Guide.
For there to be security governance, there must be something to govern. The collection of the controls that an organization needs to have in place is collectively referred to as a security program.
In reality it may be easier to say what is not in a security program than what is in one. Every organization's security program is different, because each organization has its own threats, risks, business drivers and compliance requirements. But even though every security program is different, they are usually made up of the same elements, as shown in the following illustration.
Most organizations do not fully understand what a security program is, what goes into it and how to build it. We can look to the industry's best practices for some guidance. The guideline most commonly used around the world to build security programs is ISO 17799, which was derived from the de facto standard British Standard 7799 (BS 7799). It is an internationally recognized information security management standard that provides high-level, conceptual recommendations on enterprise security. It consists of two parts. Part 1 is an implementation guide with guidelines on how to build a comprehensive information security infrastructure. Part 2 is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799. The document is broken down into the following components, which should comprise a security program:
- Information security policy for the organization -- Map of business objectives to security, management's support, security goals and responsibilities.
- Organizational security -- Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing and independent review.
- Asset classification and control -- Develop a security infrastructure to protect organizational assets through accountability and inventory, classification and handling procedures.
- Personnel security -- Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations.
- Physical and environmental security -- Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control and protecting equipment.
- Communications and operations management -- Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling.
- Access control -- Control access to assets based on business requirements, identity management, authentication methods and monitoring.
- System development and maintenance -- Implement security in all phases of a system's lifetime through development, implementation, maintenance and disposal.
- Business continuity management -- Counter disruptions of normal operations by using continuity planning and testing.
- Compliance -- Comply with regulatory, contractual and statutory requirements by using technical controls, system audits and legal awareness.
A security program should use a top-down approach, meaning that the initiation, support and direction come from top management and work their way through middle management, and then to staff members. In contrast, a bottom-up approach refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction. A bottom-up approach is always less effective, not broad enough and doomed to fail. It is also usually fully focused on technology, and many of the security management controls are missing. A top-down approach makes sure that the people actually responsible for protecting the company's assets (senior management) are driving the program.
Information Security Governance Guide
What is information security governance?
Key elements when building an security program
Steps in the security program life cycle
Developing an information security program using SABSA, ISO 17799
About the author: Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.