While I’ve spent a lot of time describing certain aspects of my work within information security, something I’ve not really touched upon is how the program originated, and the question of where and how it was decided what shape the information security plan that I work to will take.
The best place to start is to know your place. InfoSec is a business support function – that means it’s a service to the organisation and not the group providing strategic business guidance. I say that a bit tongue in cheek: that’s because I’ve met, and worked with, many individuals within IT in general who are ever ready to stick their necks out and provide direction to the business. Here’s my advice: don’t do it. Unless you are intimately familiar with the CEO and having a chat over the breakfast table, then it’s more likely that your role is to provide value within the role you’ve been employed. I still remember the look of thunder on a project managers face a few years ago when, within a meeting that also involved a client, I suddenly had an uninvited “great idea” relating to a product. She was furious, I embarrassed her, cast doubt into the mind of the client, and I learnt a lesson the hard way: focus on your own job and not somebody elses.
So, advice aside, the information security program that I’m working within is
based on the strategy of the organisation. That is very much the start point – using that as the template we’ve developed (and documented) a bullet pointed security strategy. You don’t need a lengthy, wordy, technically detailed document: what’s required is a high level list of of strategy aims and objectives. Unfortunately I can’t tell you what needs to be in your strategy but there are many resources that try to tell you. For example, this one here is typical: http://www.isect.com/html/strategy.html. It details a 6 point plan but I don’t like it because step one is “Implement baseline controls.” I’m not sure that step one of any strategy should state “implement” and step 3 is about preparing a business case. There should certainly be a business case prepared around individual controls however, the strategy document is not the place for such detail.
This is a subject pretty close to my heart: I’ve worked on information strategy, taken advice from strategists on how to prepare a strategy document, and it’s something I’m likely to be doing again in the near future. So, here’s my plan
1 – Understand the organisations strategy: where are the risks, what is the business investing a lot of money in?
2 – Split information security into a number of programs: a number of individual programs come immediately to mind that probably apply to most businesses: infrastructure, product, desktop etc
3 – Describe high level, achievable, objectives within each of the programs and a short narrative on how they are going to be achieved.
That’s it! I realize I’ve diluted an extremely important task into a few lines of text however, let’s be clear: we don’t need to have a long detailed explanation of every step of the plan. What we need to have is a lucidly documented, understandable strategy that provides a foundation for your work. Each program can then generate a further strategy of its’ own and so on (e.g. a desktop security strategy, a network security strategy based on the top level).
Let me know if this makes sense.