Wednesday, 6 June 2012

Information Security Program

This is part of a series of articles about the subject matter common to the CISA, CISM and CISSP certifications

Definitions (source Deloitte)

Information Security Program - An information security program is the comprehensive, organized collection of documented artefacts and processes that are used to continuously deliver information security across the enterprise

Information Security Program Framework - The information security program framework is the superset of the information security framework, the information security drivers and the information security services that describe and control all of the elements of information security for the enterprise

Information Security Strategy - An information security strategy is a documented specification that links all necessary organizational, technical and administrative information security controls to a strategic combination of business drivers, legal requirements, threat scenarios and design to ensure information security is operationally integrated with the overall IT architecture, business processes and business culture

Information Security Program

Achieving acceptable levels of information security whilst retaining value for money depends on good planning, an effective information security strategy and capable management. An information security program serves to protect:-
  • Information Assets
  • Satisfy regulatory obligations
  • Minimise potential legal and liability exposures

The information security program is the process used by an organisation to implement and make operational the Information Security Strategy, it consists of process that achieve the objectives of the strategy, it ensures the security systems are designed, engineered, built, deployed, changed, managed and maintained as well as decommissioning.

For it to be effective it must have well defined goals that are specific, objective and measurable, the metrics must be appropriate and capable of being used to determine if the goal has been achieved, and give indication if the goals where missed of how far out they where, and how performance can be improved. This allows gap analysis to be used in auditing the program.

Implementing

The use of standard frameworks such as COBIT or ISO/IEC 27001 in conjunction with a capability maturity model (CMM) scale can allow the information security manager to determine current position and set specific goals and determine a strategy to meet them. Senior Management/Board must approve the objectives and there has to be a top-down (from the Senior Management) buy into the Information security strategy and program. By senior management approving and buying into information security it should ensure that the strategy and program are aligned with business objectives.

Steps in developing a Information Security Program
  1. Determine desired outcomes for information security
  2. Define the desired state (objectives) for information security
  3. Determine the current state of information security
  4. Performa gap analysis between the current and desired states
  5. Develop a strategy to close the gaps identified
  6. Create a road map for the delivery of the strategy
  7. Develop a program to implement the strategy
  8. Manage the program to ensure objectives and desired outcomes are achieved

Management of an information security program

The management of the information security program lends itself to the concepts and methodologies of a Total Quality Management (TQM) system. A TQM is based on the Deming cycle of Plan – Do – Check – Act (PDCA) an iterative four-step management method used in business for the control and continuous improvement of processes and products.
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance

No comments:

Post a Comment