Categories Topics
Description
Information Security Program

Overview
An Information Security Program oversees the establishment and maintenance of information security policies, standards, and initiatives. In order to meet business objectives, the Security Program will establish security roles and provide oversight to security activities across the organization to meet regulations, reduce risk to threats and enforce policies. The Program should also be approved by management, published and communicated appropriately.

Guidelines
An Information Security Program should first start with a management or security framework for industry best practices for information security.  For example, ISO/IEC 27001 can be a good international standard that includes a broad range of security requirements and security best practices to include: HR Security,  Physical and Environmental Security, Access Control, Communications and Operations Management, and Information Security Incident Management to name a few.  Even smaller organizations can leverage standards to help achieve their security goals.  See "ISO 27001" topic for more information.

The Information Security Program should then establish the organization's security policies, standards and procedures and ensure security roles are established for the execution and oversight of the organization's security activities. Examples of security program roles include:
  • Chief Information Security Officer ("CISO") - role or organization responsible for policy management, security program oversight and governance, audit coordination, and regulatory compliance
  • Security Operations - responsible for incident management and response to policy violations
  • Vulnerability Management - the process to detect, analyze and remediate vulnerabilities in order to mitigate information security threats
  • Compliance - responsible for compliance reporting and remediation of deviations to standards (e.g. patching, Windows/UNIX/Network platform standards)
  • Identity and Access Management - responsible for access control process for access to systems and business applications
  • Security Architecture and Engineering - responsible for driving strategy, architecture and security technology direction to meet security and business objectives.
  • Security Engineering - responsible for implementation and maintenance of security technology to meet security and business requirements
  • Others (larger enterprises): Fraud Detection, Computer Forensics, etc.
Organizations may use different models on how security groups are structured within the organization. In some cases, organizations may choose a "centralized" model whereby a central security organization (e.g. "CISO") provides oversight for policy creation and also the other security groups and most security initiatives. This could allow for a more consistent approach in the implementation and oversight of security standards and procedures to meet policies. Alternatively, some organizations, to include smaller businesses, may choose to integrate security responsibilities and roles throughout the technology and business teams.  Although there still needs to be an organization (or role) responsible for security oversight, the latter approach could allow for more accountability and buy-in from the various technology and business teams.

Securezoo also recommends organizations use a central repository or system to manage the security policies, standards and controls. For example, Securezoo can be used by smaller organizations to host your policies to save in development and maintenance costs.  For larger enterprises, a Governance Risk and Compliance (GRC) system can be used by the organization as a "single source of truth" for the organization's security policies and requirements. A GRC platform can also enable organizations to report on the organization's risk posture, compliance and audit status more holistically. See GRC topic for more information.

Finally, the Information Security Program should establish and prioritize security initiatives based on input from audit findings, compliance activities, new threats, regulation changes and business objectives. The security activities should be carefully coordinated across the business units and technology teams to prevent duplication of work and ensure priorities are in line with overall business objectives and to protect the most sensitive assets using a risk-based approach.

Topic Category
Information Security Program
 
News Articles
UK SMBs value cyber security but remain unprepared for upcoming legislation changesblog.barracuda.com9/5/2017
UK infrastructure failing to meet the most basic cybersecurity standardswww.theregister.co.uk8/29/2017
More upper level participation needed as data breaches increase, studywww.scmagazine.com10/11/2016
DOE Awards $34M in Funding to Help Bolster Power Grid Securitywww.tripwire.com8/17/2016
Facebook Unveils Tool For Sharing Data On Malicious Botnetswww.wired.com2/11/2015
Brad Maiorino, Target’s New Cybersecurity Boss, Discusses Being a ‘Glutton for Punishment’bits.blogs.nytimes.com7/31/2014
Cyber Security Threats Gain Boardroom Attentionsecurityintelligence.com7/24/2014
Target top security officer reporting to CIO seen as a mistakewww.computerworld.com6/16/2014
Regulators Planning Cybersecurity Assessments for Banksthreatpost.com5/12/2014
Advisory group to Obama: ISPs should step up real-time threat responsewww.scmagazine.com11/25/2013
US government releases draft cybersecurity frameworknews.cnet.com10/22/2013
White House to offer companies cybersecurity incentivesnews.cnet.com8/6/2013
Study: 73 percent believe SANS controls guidance worth adoptingwww.scmagazine.com7/10/2013
FAA Called Out for Lax Information Security Controlsthreatpost.com7/8/2013
Hey board directors, help your companies fight cybercrime - and yes, it mattersnakedsecurity.sophos.com6/21/2013
New approach required for IT security: IBMwww.zdnet.com6/13/2013
McAfee CTO: Current security landscape is on its way to failurewww.zdnet.com2/28/2013
Large gap exists between security focus, new techwww.zdnet.com2/25/2013
Obama executive order redefines critical infrastructurewww.computerworld.com2/14/2013
Almost all US networks can be hacked: Intelligence Committeewww.zdnet.com2/11/2013
The poster child for cybersecurity done right: How Estonia learnt from being under attackwww.zdnet.com2/5/2013
Enterprises using new tech to deceive hackerswww.zdnet.com1/28/2013
Corporations bring a 'knife to a gun fight' amid cyberattacksnews.cnet.com1/25/2013
McAfee: Automating security reduces cost, time inefficiencywww.zdnet.com1/17/2013
Business Roundtable backs CISPA approach to cybersecuritywww.computerworld.com1/10/2013
5 key security threats in 2013www.zdnet.com1/8/2013
Study: 94 Percent of Healthcare Organizations Breachedthreatpost.com1/3/2013
Putting security in perspective: beware of 'vending machines,' not sharkswww.zdnet.com12/27/2012
Specialization in non-security fields key to fighting cyberthreatswww.zdnet.com12/21/2012
EU tackles smart grid security for next-gen energywww.infosecurity-magazine.com12/20/2012
India govt unveils five-year plan to revamp cybersecuritywww.zdnet.com12/18/2012
2012: Looking back at the major hacks, leaks and data breacheswww.zdnet.com12/17/2012
An introduction to return on security investment – RoSIwww.infosecurity-magazine.com12/17/2012
Security budgets again expected to rise next yearwww.scmagazine.com12/6/2012
S.C. inspector general calls for statewide security programwww.scmagazine.com12/5/2012
Small Medical Offices Biggest Risk to Patient Data Security, Privacythreatpost.com12/5/2012
New DOD Space Policy Addresses Safety, Security, Accesswww.defense.gov11/21/2012
Ten Ways To Secure Web Data Under PCIwww.darkreading.com10/29/2012
The snapshot of rising cybercrimewww.zdnet.com10/24/2012
The Elephant In The Security Monitoring Roomwww.darkreading.com10/21/2012
Survey: SMBs Remain Blissfully Unfazed by Cyberthreatsthreatpost.com10/18/2012
A False Sense Of Securitywww.darkreading.com10/15/2012
‘Project Blitzkrieg’ Promises More Aggressive Cyberheists Against U.S. Bankskrebsonsecurity.com10/8/2012
Secretary Napolitano Participates in Meeting with Members of the HSAC Cyberskills Task Forcewww.dhs.gov10/2/2012
Does Cybercrime Really Cost $1 Trillion?www.wired.com8/1/2012
Upsurge in targeted attacks against small businesseswww.zdnet.com7/13/2012
FBI Credit Card Ring Bust Exposes PCI Challengeswww.darkreading.com7/2/2012
FTC Charges Businesses Exposed Sensitive Information on Peer-to-Peer File-Sharing Networks, Putting Thousands of Consumers at Riskwww.ftc.gov6/7/2012
NSA Crafting Cyber Guidelineswww.defensenews.com1/16/2012
Twenty critical controls for effective cyber defencecontinuitycentral.com1/13/2012
Criminal Records Bureau checks to go onlinewww.guardian.co.uk12/7/2011
UK firms to trial sharing of cyber attack datawww.reuters.com11/25/2011
Government, companies taking steps to ward off cyberattackswww.washingtonpost.com11/17/2011
Exclusive: National Security Agency helps banks battle hackerswww.reuters.com10/26/2011
Cybercrime becomes bigger threat to energy industry than terroristsfuelfix.com10/13/2011
White Papers
HP Cyber Risk Report 2015www8.hp.com2/26/2015
SANS Health Care Cyberthreat Reportpages.norse-corp.com2/19/2014
Cisco 2014 Annual Security Reportwww.cisco.com1/16/2014
Immediate Opportunities for Strengthening the Nation's Cybersecuritywww.whitehouse.gov11/22/2013
Cyber security and fraud: The impact on small businesseswww.fsb.org.uk5/21/2013
The 2013 Data Breach Investigations Reportwww.verizonenterprise.com4/27/2013
Microsoft - Linking Cybersecurity Policy and Performanceaka.ms2/7/2013
2013 Threats Predictionswww.mcafee.com1/7/2013
Introduction to Return on Security Investmentwww.enisa.europa.eu12/12/2012
Third Annual Benchmark Study on Patient Privacy & Data Securitywww.ponemon.org12/6/2012
Cyberskills Task Force Report Fall 2012www.dhs.gov10/2/2012
Electricity Subsector Cybersecurity Capability Maturity Modelenergy.gov5/31/2012
FY 2012 FISMA Reporting Metricswww.dhs.gov2/14/2012
The Future of the Electric Gridweb.mit.edu12/5/2011
Protecting Personal Information: A Guide for Businessbusiness.ftc.gov11/1/2011
Foreign Spies Stealing US Economic Secrets in Cyberspacewww.ncix.gov10/1/2011
Policies
Information Security Program Policy
Standards
FFIEC Information Security BookletFFIEC7/28/2006
ISO/IEC 27001:2013 Information security management systems -- RequirementsISO10/1/2013
Corporate governance of information technologyISO4/1/2008
PA DSS (Payment Application Data Security Standard)PCI5/27/2016
Information Supplement: PCI DSS Mobile Payment GuidelinesPCI2/14/2013
PCI DSS (PCI Data Security Standard)PCI4/28/2016
NIST SP 800-12 Revision 1, An Introduction to Information SecurityNIST6/1/2017
NIST Security and Privacy Controls for Federal Information Systems and OrganizationsNIST4/30/2013
NIST Performance Measurement Guide for Information SecurityNIST7/1/2008
NIST Information Security Handbook: A Guide for ManagersNIST10/1/2006
NIST Technical Guide to Information Security Testing and AssessmentNIST9/1/2008
NIST Information Security Continuous Monitoring for Federal Information Systems and OrganizationsNIST9/1/2011