Business information exists in a complex ecosystem, teeming with a multitude of technologies, regulatory requirements, standards, business processes, vendors, security threats, system vulnerabilities, and market pressures. This information moves through elaborate workflows across networks, multiple applications, databases, servers, and across political boundaries. In today's world, much of this information has to meet the three information security tenets: availability, integrity and confidentiality.
Availability means that information must be available in a timely manner by those who need it. Integrity means that information is complete and free from tampering and confidentiality means that information must be secured from unauthorized access.
The following steps provide guidance for implementing an enterprise security program (ESP), a holistic approach to IT security.
Step 1: Establish Information Security Teams
In his book Good to Great, Jim Collins extols the virtues of having the right people on board before embarking on any corporate journey. The ESP journey is no different. Broadly speaking, the company needs to form two teams: the executive team and the cross-functional security team. The executive team is responsible for establishing the mission, objectives and goals for the ESP, and is usually comprised of senior-level executives. This team is also responsible for setting top-level security policies, establishing organization risk thresholds, obtaining funding for the ESP, and creating the cross-functional security team.
The cross-functional security team, itself made up of sub-teams, is responsible for day-to-day IT security operations, which include managing IT assets, assessing threats and vulnerabilities, managing risks, establishing policies, setting up procedures and controls, conducting internal audits, and providing training.
Step 2: Manage Information Assets
Managing information assets starts with conducting an inventory. This inventory should document hardware, applications (both internal and third party), databases, and other information assets (e.g., network shared folders, ftp sites etc.). Once the inventory is complete, each asset must be assigned an owner and/or a custodian. An owner serves as a point of contact for the assigned asset, whereas a custodian has responsibility for the stored information.
The assets are then categorized into different levels of importance, based on the value of the information contained in them and the cost to the company if an asset is compromised.
Step 3: Decide on Regulatory Compliance and Standards
Regulations are mandatory, legal requirements. Healthcare providers and most companies in financial services must implement certain guidlines. Standards-such as Payment Card Industry (PCI), ISO 27001-are industry best practices. The executive team determines which regulations and standards must be implemented.