Building a Practical Information Security Program provides users with a strategic view on how to build an information security program that aligns with business objectives. The information provided enables both executive management and IT managers not only to validate existing security programs, but also to build new business-driven security programs. In addition, the subject matter supports aspiring security engineers to forge a career path to successfully manage a security program, thereby adding value and reducing risk to the business. Readers learn how to translate technical challenges into business requirements, understand when to "go big or go home, " explore in-depth defense strategies, and review tactics on when to absorb risks. This book explains how to properly plan and implement an infosec program based on business strategy and results.
Provides a roadmap on how to build a security program that will protect companies from intrusion
Shows how to focus the security program on its essential mission and move past FUD (fear, uncertainty, and doubt) to provide business value
Teaches how to build consensus with an effective business-focused program
Frequently asked questions
How do I cancel my subscription?
Simply head over to the account section in settings and click on āCancel Subscriptionā - itās as simple as that. After you cancel, your membership will stay active for the remainder of the time youāve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Building a Practical Information Security Program an online PDF/ePUB?
Yes, you can access Building a Practical Information Security Program by Jason Andress,Mark Leary in PDF and/or ePUB format, as well as other popular books in Betriebswirtschaft & Informationsmanagement. We have over one million books available in our catalogue for you to explore.
Information security strategy and planning is critical to set the foundation of an effective information security program. In this chapter, the discipline and rigor of information security strategy and planning are discussed, as well as the importance of tying information strategy to business strategy and stakeholder engagement.
Keywords
Information security plan; Information security road map; Operational planning; Stakeholder engagement for information security; Strategic information security planning; Strategic planning; Tactical planning
Information in this chapter:
āŖ Information security strategic planning principles
āŖ Information security organizational vision and mission statements
āŖ Setting the context through describing the information security environment
āŖ Delivering the Information Security Strategic Plan
āŖ Stakeholder engagement in information security strategic planning
Strategy is the plan for achieving an organizationās business, mission, and objectives. In todayās dynamic and rapidly shifting technological environment, strategic planning has been deemphasized and often criticized as to be no longer relevant. At the pace of technology adoption, planning from a strategy perspective has become an annual exercise rather than a disciplined formulation of near to long-term action planning along a defined three to five planning horizon.
Perhaps such long-range planning is no longer practical for those companies that heavily depend on technology, or are influenced by rapid changes in the market, but strategic planning still remains an essential part of defining clear objectives for the organization. Irrespective of the planning horizon, strategic planning defines clear business objectives, the respective goals to reach those objectives, strengths and weaknesses that act as tailwinds or headwinds, the key actions necessary to capitalize on these strengths or close critical gaps, and roles and responsibilities of those who are empowered to execute the actions to achieve the plan.
Information Security Strategic Planning Principles
Business strategy is generally created at the upper levels of an organization, depending on the size and market focus of the company. Companies with a singular market focus and defined set of products or services may have a very narrowly focused strategic plan. Large corporations that participate in multiple markets with numerous products or services may have several business segment strategic plans that then roll up to a high-level corporate strategic plan. In either case, the degree of detail, specificity, and format is largely subjective. Some organizations have detailed documents that are very descriptive and lengthy; others may simply use a set of five or six presentation slides.
Creating an information security strategy and strategic plan is not any different from the planning process for the business. A clear and concise information security strategic plan allows business leadership, information security executives, information security managers, and their staff to understand what is the vision, mission, objectives, and plan for the organization and their role in its fulfillment. This provides the foundation of what is the direction and desired end state from ātop down.ā The additional benefit is that the strategic plan creates the annualized organizational goals that are further flowed down to the individual employee, providing traceability in performance goal planning at the organizational and individual levels. A discussion of performance planning and metrics will be covered later in Chapter 10.
Develop the Organizational Vision and Mission Statements
A vision statement declares the objectives of the organization. Often an internal statement, a clear and concise vision communicates the organizational goals to management and staff. The vision statement should paint the picture of what leadership believes is the ideal state or value that it delivers to the business. Vision statements define what the leadership wants the business to become, in terms of market focus, growth, values, or contributions to society.
The vision statement for an information security organization should lay out the goals at a high level and should support or enable the business leadershipās vision statement. A vision statement can be also reflective of the organizational culture. For example, if innovation is a goal of the overall business, the information security vision should in some way support that goal. If lacking a higher-level business vision statement, the information security leadership should still attempt to relate the information security organizational vision statement back to the overall businessās objectives and goals. An example of an information security organizationās vision statement is provided.
Information security will provide world-class, innovative, value-added solutions and services to our company; create a work environment where our employees are proud to work, and make a positive impact on our community.
Vision statements and mission statements are very different. Mission statements define the organizationās purpose. These statements explain why information security exists as an organization or function. Similar to vision statements, mission statements should be short, clear, and powerful. An example mission statement is provided as follows.
Through cost effective and innovative solutions, our mission is to educate and empower our employees to make informed risk-based decisions, work securely and safely, and reduce the technology risks associated with our business.
Ensure that the vision and mission statements are short, concise, clear, focused and even inspiring. Long, complex vision and mission statements tend to be āeverything and the kitchen sink,ā which may not be reasonable or even attainable. They should be easy on the tongue and natural. They should be easy to memorize for both managers and staff who are all ambassadors of the information security organization back to the business. Lastly, vision and mission statements should be revaluated as the business changes; information security strategy can quickly become stale and irrelevant if it does not reflect the changes in business strategy.
Describe the Information Security Environment
To formulate the strategy and plan, the information security leadership needs to understand the environment that surrounds the business with a focus on its mission and goals. The information security strategy and strategic plan are based on the higher-order, strategic influences that create the function for protecting the business. Businesses generate their understanding of the environment and formulate strategies based on this understanding using several techniques, methods, or tools.
āŖ Strengths-weaknesses-opportunities-threats or SWOT analysis
āŖ Threat-opportunities-weaknesses-strengths or TOWS analysis
āŖ Political-economic-social-technological or PEST analysis
āŖ Porterās five factors
āŖ Critical success factors
Originated by Albert Humphrey in the 1960s for Stanford Research Institute, the SWOT analysis is a well-known method of strategic planning. A SWOT analysis can also be a method for understanding the security environment or posture through the lens of internal strengths and weaknesses, as well as external opportunities and potential threat. The use of an information security aligned SWOT analysis supports the business strategy by addressing information security factors, issues, and challenges unique to the business and therefore complements the overall business strategy.
āŖ Strengthsāthe most effective information security factors of the business
āŖ Weaknessesāchallenges, shortfalls, or gaps in the information security program
āŖ Opportunitiesāfactors that can help the company improve its information security
āŖ Threatsāman-made or natural factors that may exploit company information security weaknesses
An application of a SWOT analysis is providedāthe management of an imaginary professional services firm that advises companies on financial services needs to start its information security program. The firm has 100 consultants and associates that either work from home or travel to customer locations to perform these services nationwide. The company employees are highly reliant on three core IT servicesāoffice productivity, collaboration, and human resources applications, which are offered as cloud-hosted Software as a Service. The company uses a Bring Your Own Device approach to end computing. The new information security leader is developing a company strategy using a SWOT analysis. After the security leaderās analysis, a SWOT-based list of current information security factors is developed as in Fig. 1.1.
For Strengths, the information security leader lists the most effective information security characteristics, for example, experienced security leadership, strong security practices in their cloud providers, and, since financial community is highly regulated in information security, a very compliance-focused culture. These strengths would be capitalized upon in the strategy development. In evaluating information security Weaknesses, the security leader noted that their employees are buying a wide variety of laptops and cell phones without any guidance on minimum features, such as security software, e.g., antivirus. Also there were no formal policies on handling company information on personal devices or security awareness program informing them of any policies or restrictions. Lastly, a weakness in the contractual relationship between the cloud provider and the company exists when and to whom security incidents are reported. These factors should be improved.
Opportunities identified in our exemplar by the security leader are factorsāgenerally external, but can be internalāthat can help the company improve its security. In our example, these may be security training and awareness products that can be bought commercially, subscription to the cloud providerās additional data protection security services, and specially discounted end-point protection software for various device platforms. Threats are those factors that exploit the companyās information security weaknesses, and are either of a man-made or natural environmental source. For instance, as a financial services firm, there are regulatory requirements in protecting customer financial data. Likewise, these companies are often targeted by the most motivated and sophisticated threat actors, unusual organized cyber cr...
Table of contents
Cover image
Title page
Table of Contents
Copyright
About the Authors
Chapter 0. Why We Need Security Programs
Chapter 1. Develop an Information Security Strategy
Chapter 2. Integrate Security Into the Organization
Chapter 3. Establish a Security Organization
Chapter 4. Why Information Security Policies?
Chapter 5. Manage the Risks
Chapter 6. Protect the Data
Chapter 7. Manage the Security of Third Parties and Vendors
Chapter 8. Conduct Security Awareness and Training
Chapter 9. Security Compliance Management and Auditing
Chapter 10. Information Security Program Metrics
Index
Citation styles for Building a Practical Information Security Program
APA 6 Citation
Andress, J., & Leary, M. (2016). Building a Practical Information Security Program ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf (Original work published 2016)
Chicago Citation
Andress, Jason, and Mark Leary. (2016) 2016. Building a Practical Information Security Program. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf.
Harvard Citation
Andress, J. and Leary, M. (2016) Building a Practical Information Security Program. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf (Accessed: 15 October 2022).
MLA 7 Citation
Andress, Jason, and Mark Leary. Building a Practical Information Security Program. [edition unavailable]. Elsevier Science, 2016. Web. 15 Oct. 2022.