Information Security Program

Strong security programs consist of a clear mission, appropriate mandate of management and a well defined strategy. Unfortunately some security programs lack one or more basic components, resulting in delays, limited effectiveness or costing too much money.

To benefit the most from a security program, make sure that the following building blocks are available and defined:

  • Program strategy
  • Mission and management mandate
  • Roles and responsibilities
  • Security policies
  • Project portfolio
  • Training and user awareness activities

Special attention is needed to the first two blocks, which can make or break the whole program. Without the right support from upper management, the funding or attention to the organization might be at risk. Additionally without a clear plan, with clear objectives, chances are high that people are just improving things without knowing why. Often resulting in a temporarily boost of security, quickly followed up by abandonment of anticipated security controls.

Everyone involved in the program should be aware and understand the strategy, so all are aligned and working towards the achieved outcome. Within the program several people will be responsible for delivering their own objectives. Well defined roles and responsibilities are therefore requirements to support the mission of the program.

Within a security program there might be special attention for the creation or modification of security policies. Usually the lack of focus on proper document management results in outdated documents, shattered on network shares or intranet pages. Therefore the program could address the need of fixing existing policies and make sure that new documents get the proper quality controls embedded. These controls enable better document management, for example used in annual document reviews.

All initiatives within the program should be documented and treated as individual projects, with a clear timeline, scope and outcome. Existing project management methodologies are preferred, so the existing project organization can assist in the efforts of the program.

Last but not least, security awareness and training are important to account for. Usually these end up “out of budget” or as a low priority item. Still informing people about the program, the results and a follow-up training might give information the appropriate boost it deserves.