Key Points for This Chapter
A structured methodology should be used when developing your information security program.
The first step in this process is to determine the business objectives that you want to accomplish with your program, such as providing the highest protection possible for your customer's sensitive information.
Assessing the current state of your program and determining the desired future state is the second step in the process.
The final step includes gap analysis between your existing program and desired future program and providing alternatives to bridge this gap.
The Security Evaluation Framework is a tool that can be used to guide this process and develop an information security roadmap in 90 days.
The framework includes the ability to tailor your program based upon unique company and industry characteristics because no two companies are the same.