Many organizations are overwhelmed with the growing number of information security threats and the increasing complexity of threats. If you aren’t sure where to start to protect your organization’s data, you are not alone. It seems that now it’s not a matter of if, but when you have a security incident. Instead of ad hoc technology solutions, which are not adequate enough for today’s threat landscape any longer, we recommend implementing a comprehensive information security plan. Here are 5 helpful tips in implementing your security plan:
Tip 1. Write a Security Charter
Writing a charter will allow you to define the scope and purpose of security. It will define security governance, and allow it to operate efficiently through your mission and vision. A security charter can formalize and define your security governance, and provide value in implementing your security plan. Involving multiple stakeholders in the creation of the charter will allow you to build a charter that is truly reflective of your organization.
What are the objectives of writing a security charter?
- Establishes a mandate for information security within the organization.
- Communicates executive commitment to risk and information security management.
- Outlines high-level responsibilities for information security within the organization.
- Establishes awareness of information security within the organization.
Tip 2. Formalize Security Organizational Structure
It is strongly recommended that you define the roles and responsibilities for the staff members among your security team, while creating a right-sized model. A formalized security organizational structure assigns and defines the roles and responsibilities of different members in the organization around security. Clarity of responsibilities ensures owners are accountable.
Elements to be included in your security organizational structure:
- Organizational reporting lines
- An explicit allocation of information security responsibilities and accountabilities
- The definition of a security steering committee
- A statement of management’s commitment to information security
- Details about how information security activities will be co-ordinated by representatives from different parts of the organization
- A list of appropriate contacts with authorities or special interest groups
Tip 3. Organize a Security Steering Committee
Having a steering committee that contains the necessary stakeholders from the business, IT, and IT security helps continue to enable your security team to act strategically. Have the committee draft a Communication Plan.
Tips in writing the Communication Plan:
- Consider the audience for your communication plan. Avoid using technical jargon or lingo with a general audience.
- Don’t overload the Plan with too much detail. The executive management team does not need to know about each security initiative planned over the course of the next three years. A high-level roadmap will suffice.
- Consider the delivery method of the Plan. Emailing it to executive management may not generate enough engagement. Consider setting up a meeting to encourage two-way communication and engage executive management in the organization’s information security planning.
- The Plan can be used for many purposes; it is a great way to gain buy-in from executive management for a larger security budget.
Tip 4. Define the Right Security Metrics
Another thing to note is the importance of creating the metrics needed to provide the business with hard evidence of effective security processes and to continually build a better program. A poorly designed metrics program is worse than having no metrics program at all. The results of poorly designed metrics could be misleading and provide a false sense of security.
What are the benefits of the right security metrics?
- It indicates how secure the organization is.
- It indicates how well security is meeting its obligations.
- It provides evidence of how security is supporting business goals.
- It enables managers to make well-informed security decisions (e.g. where to invest in security).
Metrics can measure both quantitative and qualitative subjects.
- Quantitative metrics: Metrics that measure hard benefits such as resource allocations or reductions in operational costs
- Qualitative metrics: Metrics that measure soft benefits such as improved customer satisfaction or employee loyalty
Tip 5. Establish Security Service Catalog
The next step is to establish your security catalog to track your security services more closely and determine when the services are meeting expectations or falling short of any service level agreements. Security services refer to the products and services offered by your security department to the business.
A formalized security services document sets clear expectations of the security department’s capabilities and can justify the cost of security. A security services document also allows the security team to determine the resources required to enable business activities. Don’t forget that a security service catalog should be one part of an enterprise service catalog.
A security service catalog is all about communication:
- Give the end user as much information as possible around how to access something, how to use something, and how to change something.
- Communicate what services and products are available and any parameters around them (e.g. 24/7 support or 9-5 support, wait time for getting the service, etc.).
- Explain any requirements needed from the end user and the expectation the user can have around receiving the service (e.g. you will receive it in two weeks).
- Include any information that may be needed by end users. For example, if you have a web filter but don’t let the end user modify it, include it with information around what is being blocked and the exception process.
A service catalog should be the one place for information:
- You want to limit how many sites the end users can go to. Providing only one place ensures end users will have to use it.
- Provide general information on security policies and best practices.
Use this list of services as a starting point to build your security service catalog:
- Security assessments and testing
- Security training and awareness
- Security project support
- Security policy management services
- User access and access rights to support business requirements
- Adequately secured and configured systems
- Adequate protection against malware, external attacks, and intrusion attempts
- Adequate incident response measures
- BCM support
- Security backup and recovery services
Provide an end-user portal
- Provide an end-user-facing portal that allows requests through a ticket-generating browser.
- Although there are many ways service requests can be made (phone call, email) a direct link between a portal and the help desk is best.
- You don’t necessarily have to go to the help desk; you could have a request go straight to the security team.
Let us help you with your organization’s security!
Having a security plan will make your business more agile. Now is the time to strengthen your organization’s security from implementing an effective information security plan to remain competitive in today’s world. Remember: now it’s not a matter of if you have a security incident, but when.
Our team of experts have worked with many organizations to help them implement an information security plan. Contact us today! We will be happy to run a complimentary cloud security assessment for you and discuss how you can improve your organization’s security!
Related Posts:
