IntroductionInformation Security is becoming more and more of important in the present and coming days of business. To meet the increasing demand of protecting the information there are a lot of standards, guidelines, regulations and legal requirements are developed. With this article, I am summarizing the requirements for an effective Information Security Management System.
The 10 Steps/Phases
- Assess the security posture
- Draft an Information Security Strategic Plan
- Review & create policies and standards
- Get management buy-in
- Prepare Information Security Plan
- Assign Information Security Responsibilities
- Form a cross functional management forum
- Implement an incident response team
- Security awareness program
- Include Security into the organizational process framework
Lets have the details below
Assess the Security posture
During this phase, various tools are used to assess the security status of your organizations computing applications, networks, servers and desktops. This will result in a report, which describes about the security posture of your environment.
To assess your security posture an organization can hire external parties, if they do not have expertise in-house. This phase will show the gap between the present status and the status you want to achieve.
Information Security Strategic Plan
.Well planned is half done. as the quote says. Anyways, this is an important step. The plan needs to have your thoughts on how to fix the weakness you have identified in the phase 1. This will enable the management to understand the requirements of Information Security and works as justification for the budget you might ask for.
Include all the stakeholders in the plan and ensure that the responsibilities for the security improvements are spread across all your organizational units
Finally, no plan means everything you present is ad-hoc and the management buy-in might be a difficult task
Policies and Procedures
Assess the policies, if any. The policies shall meet the regulatory and legal requirements of the law of the land. More than that, policies shall address the organizational goals, missions and to the most, the Management Commitment. A policy says what should be the end result is. Policies shall be supported/enforced by standards and procedures.
The policies shall be supported by standards. A standard is the rule, which says, what will be allowed to meet the organization goal. A procedure is a detailed step-by-step activity on how to do what is allowed.
Policies shall have the following characteristics
- Focused on business, not in technology
- Represents the best interest of the organization
- Helps every one to attain their goals and shall represent the common benefit
- Legal and regulatory requirements are addressed
- Policy should come from the top management
- A policy should be enforceable
- Last, but not the least, the policy should sounds like common sense
This stage is crucial for a successful implementation of ISMS. Till this phase, we have done the analysis and now it is the time to implement the plan. To ensure the acceptance by the end users, it has to be pushed from the management. So you need to convince the management about the importance of Information Security and how it will benefit the organization
- Talk business benefits, than technical advantages
- Get there involvement in deciding the most critical weaknesses according to the business
- Give an overall idea about the resource requirements including people, process and technology
- Budget . you decide
Annual Plan . Information Security
So you got management support and now its time for writing an implementation plan. Write a annual Information Security Plan. This shall include the
- Approach to protect the weaknesses identified
- Writing of standards, procedures and guidelines
- Review of your existing security posture periodically
- Management review meetings
- Auditing plan
- Corrective and preventive action plans
- Costs or budget
Now it is time for forming teams to implement Information Security. Assign the responsibility to a single employee, normally the CISO or ISO, for our reference we will use CISO as the responsible person for the implementation of the ISMS. Let the CISO form a team of specialized experts. Now this team has to work with the cross-functional groups and the responsibilities shall be assigned to those groups. This will ensure a minimum staffing in the Information Security team and will ensure the participation from the other teams such as HR, Sales, Business Development, Marketing and the core business function.
The Information Security team should oversee the implementation than actually implementing it. Another team of auditing shall be formed and regular audits shall be performed to identify the improvement opportunities.
Another approach is to outsource both the functions. You think which is the best strategy for your organization.
Form a cross-functional management forum
Further to the discussion about the above phase form a management forum, where there is representations from all the departments of the organization. Information Security is the responsibility of everyone in the organization. Make all leaders to propagate the concept of information security to their respective teams.
This will also help you to solve inter-team conflicts related to information security and will have a platform to discuss the issues
Incident Response program
An incident response program is the platform where the security incidents should get reported. This will help you identify what are the incidents frequently occurring and what are the criticality and what measures to be incorporated to improve the organizations security posture.
A team shall be organized to analyze the type of incidents, root cause, corrective action and preventive action.
Reducing the number of incidents and the freshness of the incidents will show whether you are in the right track. During this process address the following
Prepare a plan, policy and specific procedures for responding to incidents
.Security is as strong as your weakest link.. This phrase is used by many of the security professionals and I am supporting it. So who is the weakest link? It is human beings to my experience. Lets a your employee has a strong password and if he tell this to someone then the password lost the strength.
Educate everyone in your organization, your contractors and others whom you think important for your information security.
Use various methods like corporate presentations, role-play, induction training etc. You should have innovative ways to perform this activity.
Integrate to organizational process framework
Now integrate this to your organizational process framework like CMMi, PCMM, and ISO9001 etc. This will help the employee to have one single process framework. Otherwise, there will be a lot of resistance from the employees when you perform an audit or ask the teams to send a separate report for information security.
Information Security is a business requirement. An organization should follow a process-based security than a product-based security