Guidelines for Success
Security programs comprise intricate and complicated webs of technologies, processes, facilities, and people. It only makes sense that you should plan carefully and put the kinds of controls in place that will ensure success from the outset. There are four main areas that need equal attention when implementing and managing security programs; unless you deal with complexity and change properly, invest in personnel, maintain a broad scope, and plan to manage security carefully, all will surely transform into an affliction that affects the health of your organization.
Manage complexity and change. You can't avoid the problems and constraints that complexity and change bring. But you can facilitate and manage them through a structured, standardized security program.
Invest in personnel. You need well-trained staff capable of implementing and managing your security program. Plan for adequate personnel training from the very beginning.
Maintain a broad scope. Make sure that the plan and design of your security program has a broad scope. Don't limit the scope, or it will become an impediment to changeworse, it can be costly to implement and integrate key elements of the security program after the fact.
Focus on the processes. In addition to security technologies, put in place the processes and tools to manage your security program.
Because the security program must be well-planned from the start, we use a formal approach that brings discipline and structure to your security program. Our approach to assessing, building, and managing security programs ensures that business processes, technologies, policies, security processes, access controls, tools, and people are properly aligned. Every world-class security program arises from a comprehensive approach combining all of these factors.
The Assess, Build, Manage Model
Our model to assess, build, and manage security programs is an ongoing cycle. We assess and define acceptable levels of risks for key processes and information; develop and implement security architectures, technologies, and processes that are designed to mitigate those risks to acceptable levels; and manage the security technologies and processes with tools making ongoing adjustments, enhancements, and improvements (see Figure 1).
Figure 1 Model to assess, build, and manage comprehensive security programs.
The model leverages and integrates three important elements:
Security standards. To ensure that security programs are based in best practices, the model leverages prominent industry security standards. The model is also flexible enough to accommodate different standards, depending on the organization's objectives and industry. These include, among others, CoBIT Controls, SysTrust Principles and Criteria, WebTrust Principles and Criteria, ISO 15504 Common Criteria, British Standards 7799/ ISO 17799, X.800 (formerly ISO 7498-2), and HIPAA.
Security framework. The model is based on a security framework that ensures that all aspects of the security program are assessed, built, and managed in a comprehensive and logical manner. Comprising more than 50 operational areas, the framework ensures that all elements of security technologies, policies, processes, access controls, organizational structures, and people are well-planned, well-deployed, integrated, and systematically evaluated for improvement.