The creation and implementation of a formal information security management program is fraught with challenges, but once in place offers enormous benefit to the implementer. With the sheer number of vulnerabilities reaching a staggering level, the ability to accurately identify, remediate and manage any potential vulnerability related risk is critical. If you surveyed most IT professionals, and posed the question; “has your company implemented any form of formal information security management program” – which is the combination of people, process and technology working together to address vulnerabilities and risk – the answer would generally be no. Not for the lack of desire or the ability to create one –no, it’s more a function of time and resource. With the current economic conditions weighing heavily on most every business…the implementation of an information security management program is generally not a top priority. However, surprisingly enough…by implementing such a program – the by-products can be quite beneficial. Examples of this can be seen in improved operational costs due to greater efficiency, as well as the reduction of risk. The greatest value comes in the form of measurability!
Measurability comes from the structured implementation of secure controls (or policies) that are both measurable and enforceable. The use of well recognized framework standards such as ISO27002, NIST 800-53, COBIT, ITIL and others are the basis for any type of formal program. If you are considering the development of such a program…there are some excellent websites that contain a wealth of information that will aid you in your effort. Some of the sites I’d recommend are as follows:
ISO 27002
http://www.standardsdirect.org/iso17799.htm
NIST 800-53
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
COBIT
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
ITIL
http://www.itil-officialsite.com/home/home.asp
By creating a formal information security management program, you’ve created structure around a very difficult thing to confine – the potential for risk. Once in place, you’ll quickly discover that your security posture is truly measurable, and the return on your investment in such an endeavor is rapid.
Dave Eike
Shavlik Technologies
