Defining an Information Security Program
An information security program consists of a set of activities, projects, and initiatives to be implemented in a coordinated manner, to meet business objectives and realize the company’s information security strategy. Outlined below are the steps to follow when defining an information security program.
First, it is necessary to determine the security results expected to support the company’s business operations which can be defined according to security objectives or the desired state in terms of security.
It is then necessary to determine the current state of information security. Thus, a risk assessment in conjunction with a business impact assessment or security audits will provide a clear understanding of the current security situation.
Subsequently, a gap analysis determines the difference between the current state and the desired state and facilitates the development of a security strategy aimed at achieving the desired state. A roadmap can be produced to facilitate the development of the security program that will realize this strategy. This roadmap generally includes the people, the processes, the technology, and any other required resources. It is used to describe the approach to be followed and the steps that should be taken to execute the strategy. The next step is to effectively manage the security program to achieve the objectives and meet the expected results.
The security program is designed to provide an appropriate level of availability, integrity, and confidentiality of company information. This program requires the involvement of various resources, but the commitment and the formal support of the organization’s management is necessary.
Here are some key elements that should be included in a security program:
Policies, standards, procedures, and security guidelines are the principal tools for guiding the implementation and management of such a program. These can be based on recognized standards, such as NIST, ISO 27002, ITIL, etc.
A security architecture (including people, processes, and technology) to provide a framework for the effective management of the complexity that can arise during the integration of various security elements and projects.
The classification of information assets to highlight their criticality and sensitivity.
An appropriate risk management process which includes risk identification, evaluation and treatment, and a business impact analysis (BIA).
An effective response to incidents and emergencies.
A security awareness training program for all users.
The involvement of a security team in the development process (Software Development Life Cycle or SDLC) of projects, as well as with change management.
The definition and monitoring of metrics to assess the achievement of security objectives.
The information security program as a whole must have a clear assignment of roles and responsibilities concerning security.
It should be noted that information security awareness training is a critical element of the strategy because users are often the weakest security link. It is therefore essential that they know and understand the policies, standards, and procedures to adopt secure practices and be vigilant against various threats.
An awareness and training program is now required by various laws and regulations. However, evidence suggests that employees, in many organizations, are still not sufficiently aware. Various studies have demonstrated that cybersecurity awareness training provides more effective control in improving overall security.