Establishing an information security program can be like putting a puzzle together. Countless pieces must be sorted through, identified, and put in their correct place. And it’s always harder at the beginning, when there are so many pieces and so many of them look alike.
But no matter how simple or complex the puzzle is, it is much easier to organize when a picture of the finished product is available to refer to.
The same goes for an information security program.
The good news is that while there is not yet an “infosec-in-a-box” solution containing all the components of an information security program, all good information security programs share a number of key components. And by using these components as a guide, organizations can develop their own information security program and be assured that it too will succeed.
This article will outline the 10 essential components of any information security program:
Information security is considered an essential corporate investment.
Competition for resources is fierce in today’s business environment. And information security is, admittedly, a significant cost.
But a security breach can cost even more. Conducting a security risk analysis can help organizations determine the appropriate level of investment in an information security program.
The CEO owns the security program.
For better or for worse, the buck stops at the top. That makes sense, seeing that government and industry regulations are increasingly holding CEOs accountable for a widening range of business issues, including security.
But getting buy-in from the CEO isn’t just about covering bases. It’s also about setting the tone for the rest of the organization. It’s about demonstrating that security is up to everyone.
A senior-level executive serves as information security leader.
Keeping an organization secure requires constant vigilance, knowledge and skill, and the authority to act as needed to protect information assets. It requires leadership from a high-level executive who reports directly to the CEO or COO and is supported by an information security organization comprised of experienced, certified security professionals.
A cross-functional information security governance board is established.
Information security doesn’t impact only IT. It also affects legal and HR as well as facilities and other business units.
Consequently, an information security program must be defined and governed by its stakeholders — senior-level representatives of departments throughout the organization.
Metrics are set to manage the program.
To ensure that an information security program is improving over time, it is important to put together a set of quantitative measures to monitor progress — and hold the security organization accountable for achieving them.
An ongoing security improvement program is in place.
The security threat landscape changes constantly, and an information security program must constantly be measured, improved, and managed to keep it effective.
The program builds over time.
Information security programs can take years to implement. They start with the basics, then grow by adding more people, processes, and technologies as business and security needs demand.
Independent reviews of the program are conducted.
For years, public companies have undergone independent audits of their financial controls to validate their business practices and procedures. Security audits should be handled in the same way.
No matter how efficiently an organization thinks its information security program is operating, it is important to have a third-party’s validation.
The computing environment is separated into zones.
From the most external zone, the Internet, to the extranet, intranet, and mission-critical zones, separating the computing environment helps isolate restricted and critical systems.
Security technologies are deployed at the gateway, server, and client.
In other words, security technologies must be in place wherever security threats might appear. And today, they’re appearing at every layer of the network.
Mark Egan is Symantec’s CIO and vice president of Information Technology. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. Prior to Symantec, he held several senior level positions with companies including Sun, Price Waterhouse, Atlantic Richfield Corp., Martin Marietta Data Systems, and Wells Fargo Bank.