Tuesday, May 09, 2006

A 13-point plan for starting a strategic security group

Stan Gatewood, CISO of the University of Georgia, suggests the following steps to set up a new—or newly strategic—information security program.

1. Identify executive leadership. An executive sponsor needs to champion the new strategic security program.

2. Select a point person. The CISO or another information security leader should manage day-to-day activities.

3. Define and prioritize goals. Try to tie business objectives to security objectives.

4. Establish a review mechanism. A process review board with executives from information technology, physical security, human resources, legal, audit and information security will evaluate and approve security initiatives.

5. Assess the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education.

6. Establish (or re-establish) the security organization. This group should focus on information security, not just the narrower confines of information technology security.

7. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.

8. Assemble implementation teams. Pull together cross-functional teams made up of technical and nontechnical employees to hammer out plans for new policies, procedures, initiatives and tools.

9. Have the executive security review board endorse the plans. This group should consider budget, timing and prioritization.

10. Review the technical feasibility. This should be done by a technical security review board with representatives from the office of the CIO and CTO, plus operations staff, production services and support staff.

11. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.

12. Put everyone to work on the strategic plan. Everyone in the information security department should be able to introduce strategic security objectives and explain how projects are contributing to a mutual goal.

13. Measure outcomes with metrics. IT security metrics must be based on goals and objectives to realize true decision making and improved performance.

No comments:

Blog Archive

About Me

Choose Dyrand Systems as your virtual IT department and focus on growing your business—not on the technology that supports it. You deserve peace of mind when it comes to IT. When you choose Dyrand, you’re choosing more than just an IT firm—you’re choosing an extension of your own team.