Security Strategy Development



Similar documents
The Truth about False Positives

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

The Evolution of Managed Security Services ISS Virtual-SOC Solution, Security the Way You Need It

Four Top Emagined Security Services

Lotus Domino Security

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Multi-layered Security Solutions for VoIP Protection

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Windows Server 2003 migration: Your three-phase action plan to reach the finish line

Wireless LAN Security

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Corporate Backgrounder

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Overview TECHIS Carry out security testing activities

Preemptive security solutions for healthcare

Network- vs. Host-based Intrusion Detection

Data Security: Fight Insider Threats & Protect Your Sensitive Data

IBM Security QRadar Risk Manager

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

ISS X-Force. IBM Global Services. Angel NIKOLOV Country Manager BG, CZ, HU, RO and SK IBM Internet Security Systems

IBM RealSecure Server Sensor System Requirements

Juniper Networks Solution Portfolio for Public Sector Network Security

IBM Security QRadar Risk Manager

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

LAW ENFORCEMENT SUBJECT MATTER EXPERT (SME)

Enterprise Security Tactical Plan

Computer Security Incident Response Planning. Preparing for the Inevitable

Road map for ISO implementation

Safeguarding the cloud with IBM Dynamic Cloud Security

White Paper. Five Steps to Firewall Planning and Design

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Building a Roadmap to Robust Identity and Access Management

Information Security Incident Management Policy and Procedure

Threat and Vulnerability Management Plan

WHITE PAPER. Mitigate BPO Security Issues

Information Security Policy. Chapter 10. Information Security Incident Management Policy

High level principles for risk management

ICASAS505A Review and update disaster recovery and contingency plans

DRAFT ÖNORM ISO/IEC 27005

September 4, appearing before you today. I am here to testify about issues and challenges in providing for

Manager, Corporate Planning & Reporting BC Oil & Gas Commission, Victoria Applied Leadership. Office of the Commissioner - Corporate Affairs

6 Essential Characteristics of a PLC (adapted from Learning by Doing)

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Side-by-side Migration Guide for Snare Server v7

The integrated leadership system. ILS support tools. Leadership pathway: Individual profile EL1

Achieving Excellence in Capital Asset Management through Project Portfolio Management

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Cloud Security Who do you trust?

UP L13: Leveraging the full protection of SEP 12.1.x

Operational security for online services overview

Cybersecurity Awareness for Executives

FISMA Compliance: Making the Grade

IBM Security QRadar Vulnerability Manager

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

MCH LEADERSHIP SKILLS SELF-ASSESSMENT

Predictive analytics with System z

Cisco and VMware Virtualization Planning and Design Service

Cybersecurity Strategic Consulting

Cisco Advanced Services for Network Security

Managed Security Services Portfolio

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

15) GUIDELINES ON THE APPLICATION OF ISO 9001:2000 FOR THE FOOD AND DRINK INDUSTRY

Practice Test Security Fundamentals Professional Certification (SFPC) Multiple Choice. Multiple-Choice Sample Question # 1

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Payment Card Industry Data Security Standard

VoIP: The Evolving Solution and the Evolving Threat. Copyright 2004 Internet Security Systems, Inc. All rights reserved worldwide

How small and medium-sized enterprises can formulate an information security management system

Trend Micro Hosted Security. Best Practice Guide

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

G-Cloud IV Services Service Definition Accenture Cloud Security Services

Transcription:

An ISS White Paper Security Strategy Development Building an Information Security Management Program 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626

Information Security Management A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations. In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organization s overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program. Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the framework of a specific strategic objective. In the case of information security, the strategic objective is the satisfaction of protection requirements for an organization s information assets. Strategic Planning Process Laying the Groundwork Assessing the Need Designing the Strategy Defining the Roadmap Document the Plan Laying the Groundwork The first step in building a security strategy is the development of a work plan for the planning process itself. This step includes: Formulation of the planning team Identification of specific issues or choices that the planning process should address Identification of information that must be collected to help make sound decisions The planning team should be carefully selected. These individuals should represent various departments within the organization that will be directly involved in the execution of the planned strategy. The participants should have a commanding knowledge of their department s operations and should have the authority to make decisions regarding the strategy and their department s involvement in the execution of that strategy. The planning team should also include individuals possessing expertise in information security to serve as subject matter experts. These individuals should provide input on best practices in information security and insight into the security practices of other organizations based upon their experience. The planning session(s) are most successful when utilizing a neutral third party as a meeting facilitator. The facilitator should guide conversation, according to the work plan, and keep the team on schedule and on topic. The facilitator helps the team develop the security approach by An ISS White Paper Page 1

listening to the opinions of the group, translating those opinions into ideas and gaining consensus on decisions. As a neutral third party participant, the facilitator can ensure that the minority voice is heard and aid in the decision-making process. Assessing the Need for Security In developing the security strategy, an organization should first determine their business requirements for security and how security fits into the overall goals of the organization. The following should be taken into consideration: Critical business requirements Security initiative mission Current state/desired state of security The team should begin by gaining consensus on the key business processes within the organization for which the confidentiality, integrity and availability of the computer systems supporting those processes are most critical. Next, the group should evaluate IT initiatives currently underway to determine the driving forces behind this security initiative. This should lead to the definition of the security mission for this organization. The determination of this mission will provide the parameters for building the plan for security. It is likely that the organization has already implemented security processes, procedures and technology to manage security risk. The team should review the current safeguards already in place and evaluate the effectiveness of these solutions. This exercise is most effective when framed around best practice standards for information security. For example, ISO 17799 contains a set of best practice security controls organized within the following major areas: Information security policy Security organization Assets classification and control Personnel security Physical and Environmental Security Computer and System Management System Access Control (internal and across open networks) Systems Development and Maintenance Business Continuity Planning Compliance At the end of this phase, the team should be able to determine the requirements for their security management program. Designing a Security Strategy Once the team has a clear understanding of the desired outcome for information security, the approach for how to reach that outcome must be developed. The team will work during this stage of the planning process to determine the approach necessary to implement general security controls that will meet their requirements. The following topics should be addressed: Strategy Objectives and Measurements Assumptions and Constraints Strategy Approach An ISS White Paper Page 2

Clear objectives for developing and implementing a security strategy should be defined, and the achievement of those objectives should be measurable. For example, an organization that has had problems with the spread of computer viruses amongst their user community may determine that one of its objectives is to reduce the number of virus incidents to some acceptable number per year. This organization will likely implement a combination of anti-virus technology and procedures as part of its security implementation plan, and they will keep records of each virus incident to measure the satisfaction of this objective. In order to select security controls and identify tasks necessary to implement the defined approach, certain assumptions need to be made. These assumptions should be acknowledged prior to defining the approach. The purpose of defining the constraints is to clearly understand the boundaries in which the strategy must be formulated. The strategic planning team must determine how they will go about satisfying each requirement for their security management program. During this stage of the planning process, the team will outline the strategy s approach. The security strategy approach will likely consider the following areas: Asset and data valuation Vulnerability and threat assessment/management Legal and regulatory requirements Security policy and standards development Technology implementation Secure network design Procedural development Staffing and Training Ongoing security management Defining the Security Roadmap Now that the team has developed their strategic approach to building an information security management program, a high-level project plan should be developed which will outline the steps necessary to put the strategy into action. This plan will provide the team with a roadmap for implementing their security strategy. In developing this action plan, the group should consider the following: Roles and responsibilities Required tasks and task owners Timelines and milestones Documentation and Management of the Strategic Plan The events and results from each phase of the planning process should be documented and should reflect the consensus of the team. This document should outline the strategic plan in terms of: Security Mission Information Security Management Program Requirements Strategy Objectives, Measurements and Approach Assumptions and Constraints Roles and Responsibilities Program Risks Project Plan or Roadmap Project Management and Administration Procedures An ISS White Paper Page 3

Security Implementation This strategic planning process should provide a high-level plan for implementing a comprehensive security program. The resulting roadmap to security will provide the framework for developing detailed project plans for the execution of specific security initiatives that support the defined security strategy. An ISS White Paper Page 4

About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) is the leading global provider of security management solutions for the Internet. ISS protects critical information and network resources from attack and misuse. By combining best of breed software products, market-leading managed security services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security provider for thousands of customers around the world. Copyright 2001, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System Scanner, Database Scanner, Online Scanner, ActiveAlert, X-Press Update, FlexCheck, SecureLogic, SecurePartner, SecureU, Secure Steps and RealSecure are trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc. Other trademarks and trade names mentioned are marks and names of their owners as indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. An ISS White Paper Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information