Simple Software … Simply Effective Results

Information Security Strategy

Equally important are these three elements of a comprehensive corporate security strategy:

  1. Infrastructure components to do as much threat mitigation as practical with a reasonable ROI.

  2. A comprehensive set of written policies that outline very specific roles, responsibilities, and methods.

  3. An ongoing Security Awareness Training program so every employee becomes a front line security watchdog.

Documentation should be developed at two levels. At the highest level are a small number of non-technical policies that outline the goals of the organization and enforcement of these goals. The policies should carry explicit endorsement by the highest level of management. The second level is a set of written standards that specifically outline, in sufficient technical detail, various infrastructure requirements and the roles and responsibilities to maintain compliance with these standards.

The documents themselves should be owned by specific functions within the organization and carry an explicit review process to ensure they are kept current.

Policy topics:

  1. Overall policy that defines organizational security directives endorsed by senior company executive(s).

  2. Overall acceptable use policy that defines the behavior of every employee in the use of Information Technology assets.

  3. Set of Standards (below) that defines in detail how the technical details of the Information Technology infrastructure will be managed.

  4. Specific technology (i.e. firewalls, intrusion detection/prevention systems, virus protection software, etc.) to aid in stopping common threats.

Standards topics:

  1. Security Awareness Training process

  2. Risk Management, Roles and Responsibilities

  3. Access provisioning process details, Access Review process details

  4. System Administration procedures

  5. Malware Protection

  6. Authentication

  7. Remote Access

  8. Firewall Management

  9. Logging and Monitoring procedures

  10. Wireless (WiFi) Management

  11. Information Technology Review and Audit procedures

  12. Information Technology Asset Management procedures

  13. Encryption Process, Key Management for encryption

  14. Server Room Protection

  15. Media Protection, Media Disposal

  16. Information Classification, Information Handling

  17. Business Resilience Program

  18. Backup and Restore procedures

  19. System Development security procedures

  20. Change Management procedures

  21. Data Integrity Management


June 20, 2011 Posted by | Uncategorized | | Leave a comment