Creating a formal information security program

This excerpt is from Chapter 3, Developing Your Information Security Program of "Executive Guide to Information Security: Threats, Challenges and Solutions" written by Mark Egan with Tim Mather, and published by Symantec Press.

This excerpt from The Executive Guide to Information Security: Threats, Challenges and Solutions by Mark Egan and Tim Mather is available from Symantec Press for $35.99. 

Executives commonly ask, "How well are we protected, and what should we be doing to improve our program?" A recent security-related event inside an organization or a heightened awareness of security in general can prompt this question. Regardless of the reasons for starting a formal program, you should follow a structured methodology to guide your program. Although this is true in any critical business process, it's especially important in information security. By following a structured methodology, you can obtain results that are more predictable.

A structured methodology is similar to a therapy regimen prescribed by your doctor when recovering from an illness or accident. In this case, the illness might be a non-existent or weak information security program, and an accident might equate to an information security incident.

Infosec Bookshelf

Read the full chapter

Check out a review of the book

View SearchSecurity's bookshelf for more excerpts and review

You should first step back and determine the business objectives that you want to support with your information security program. Evaluate the effectiveness of your existing program and determine where you would like it to be in the future. Aligning your security policies closely with your business strategy enables your company to achieve its objectives without hindrance because your staff is less likely to circumvent security measures that seriously impede them from achieving your core business goals.

The next step is the gap analysis -- comparing where you are to where you want to be and examining the alternative methods to achieving those objectives. The investment you are willing to make in your program will determine its extent and the time necessary to put it in place. Again, keep in mind that this is a continuous process and you will need to update your information security program as your business environment changes.

This was last published in April 2005

Dig Deeper on Information security policies, procedures and guidelines