Developing Your Information Security Program
A multibillion-dollar international company found that the email of an executive based in Germany was being regularly disclosed outside the company in an unauthorized manner. The investigation was complicated. The company's corporate headquarters was in the United States, so the investigation was based there because of the extremely sensitive nature of the incident. However, the executive in question was a German citizen, the mail server used by European-based executives was in France, and the breach appeared to originate at a Dutch facility.
Who had jurisdiction? Local law enforcement in the state of California, where the company was headquartered? Federal law enforcement in the United States? The Federal Bureau of Investigation (FBI) or the Secret Service (USSS)? French law enforcement because the email server was physically located in France? German law enforcement because one of its citizens was the target? Or Dutch law enforcement because the breach appeared to originate in Holland?
What laws and regulations are investigators expected to follow? Because this issue involves personal privacy, does company policy based on United States laws prevail? Or does German law on employee privacy prevail because the target was a German citizen?
Information security can be complex and requires a consistent methodology to ensure that the program remains current with threats and changes in laws and regulations. These changes occur at a rapid pace and are not consistent across different countries and industries. This chapter reviews a methodology that can be used to develop your program and account for these changes on an ongoing basis.
The previous chapter introduced the key components of an information security program and the principle of defense-in-depth. This chapter introduces the core concepts that you should consider when building a new security program or improving an existing one. Both of these tasks require a solid plan and diligent attention to details. Using the methodologies introduced in this chapter, you can begin to create that plan.
When developing your information security program, you should begin by determining the high-level business objectives that you want to achieve. These objectives will serve as boundaries for the program and will guide your progress. By following a consistent methodology, you will be able to evaluate multiple alternatives and complete the design of your program.
The concepts introduced in this chapter will continue to serve you after you have a program in place. Changing circumstances will confront you with new threats and challenges, requiring you to adjust your program over time. Revisiting these ideas will aid you when making these adjustments and continually improving your program.