Just as no two businesses are exactly alike, information security programs also differ from company to company. A small firm that conducts business only in the United States and has few automated processes, for example, requires a much different information security program than does a large financial services organization that is highly regulated and relies on the Internet for many business transactions.
But regardless of company size and industry, the most effective information security programs have several essential components in common. These 10 fundamental elements address the strategies and tactics required for building, managing, and maintaining an information security program that utilizes the right combination of people, processes, and technology to ensure information availability and safety.
1. Information security is regarded as an essential business investment.
Information security is about defending business-critical information assets, preserving business continuity, and safeguarding the corporate brand and reputation. It's about finding the appropriate balance between information availability and information security to ensure that the right people have the right information at the right time.
After all, companies today are in the information business; yet, information that is secure but unavailable is worthless, and information that is available but not secure is of very little value. As a result, information security has become a boardroom issue.
2. The information security program is owned by the CEO or COO.
Information security impacts every area of an organization. Consequently, the CEO or COO must assume overall ownership of the corporate information security program.
Unless executive-level leaders consider information security an important part of their business strategy and are formally recognized as the first and last word on information security, the program will likely play second fiddle to other business initiatives such as new product development. When developing broad objectives for the program, reviewing it to evaluate its effectiveness, and implementing changes or making investments in the program, input and direction from the CEO is imperative.
3. The information security program starts with the basics.
Security is not a destination but a journey, and a lengthy one at that. In fact, some information security programs take years to implement. They start with the basics -- for example, with antivirus and a firewall -- then build from that solid foundation by adding more technologies as needed, from intrusion detection to vulnerability assessment to security management.
Needless to say, having a roadmap is invaluable. By outlining which technology components will be deployed at which time, organizations can make their security journeys as efficient and successful as possible.
4. Senior-level staff have responsibility for information security.
While everybody in a company must actively support an information security program in order to make it effective, it is the responsibility of a senior-level IT professional to report directly to the CEO or COO and be accountable for information security. In small organizations, this is likely one of many duties that the senior-level staff member shares; in large organizations, it might be his or her primary responsibility.
The complexities of information security demand the support of a dedicated team of IT and security professionals who have the experience and knowledge to address the ever-changing challenges of securing a digital workplace. Part-time support is no longer adequate.
5. The governance board is comprised of a cross-functional team.
By necessity, security policies impose restrictions on what organizations and employees do. Having a cross-functional governance board ensures that information security policies are aligned with other corporate initiatives. For example, legal and human resources organizations must assist in developing and communicating policies that impact employment to ensure that these policies do not conflict with laws or create an employee relations problem. Facilities organizations, in turn, must be involved in the development and operation of the information security program as it affects physical security functions throughout the company.
6. Multi-layered security is in place.
Layering security provides multiple levels of defense, typically at the gateway, server, and client. Protecting the gateway only is not enough. Neither is defending just the server or clients. With blended threats using many methods and techniques to spread, it is now essential to protect at all levels of the network.
Firewalls, antivirus, intrusion detection, and content filtering offer effective protection for gateways, the connections or doors that separate the enterprise from the outside world. Securing servers -- the shared computers that perform functions for various personnel -- can be accomplished with antivirus, vulnerability management, and intrusion detection systems. And client protection -- the individual computers that employees use -- is possible with firewall, VPN, antivirus, and intrusion detection systems. Of course, managing these multiple layers of defense can put a burden on IT staff, but new management solutions are available to make it much less cumbersome.
7. Zones divide the computing environment.
Separating the computing environment into digital zones helps isolate restricted and critical systems. Computing infrastructures are typically divided into four major zones, each with a different level of security and a firewall separating one zone from the next. The external or Internet zone is the outermost zone. The extranet is next, where only customers and trusted vendors are allowed limited access. Next is the intranet, where employees conduct the majority of their daily work; this area is generally restricted to staff, contractors, and temporary workers. The innermost zone is the mission-critical zone, where all mission-critical applications and systems reside; access to this area and these systems is very restricted and controlled.
8. The information security program is measurable.
To ensure that an information security program is improving over time, there must be a set of metrics to measure and monitor progress. These metrics may start out very basic, such as counting how many security incidents transpired in a given month. Information security metrics generally focus on how an information security program might have prevented something negative from occurring at the company.
At a high level, these metrics might include identifying the number of policy exemptions granted in a given month, measuring the percentage of users who are aware of security policies, determining the percentage of systems with documented risk assessments, and more. Most importantly, because measurement is key to improving the information security program, it is better to have rudimentary metrics in place than to wait to develop more complex ones.
9. The information security program is not static.
Threats evolve every day and an information security program must be able to adapt in response. To ensure that an information security program is dynamic rather than static, it must follow a continuous cycle of measuring, improving, and managing information security.
10. The information security program is reviewed by an independent third-party.
For years, public companies have undergone independent audits of their financial controls in order to validate their business practices and procedures. An independent security review, in turn, offers an opportunity to determine the effectiveness of an information security program as conducted by a professional, independent, expert third-party. The results of these audits can identify areas that are working effectively as well as areas needing improvement. And, because information security changes rapidly, annual independent reviews are recommended.
Over time, as results are tracked and remediation plans are developed and implemented, an information security program can become a powerful component of an effective business strategy.
About the author:
Mark Egan is Chief Information Officer at Symantec Corp. Egan is the author of The Executive Guide to Information Security, which will be available in November.