Sunday, October 23, 2011

Developing an Information Security Strategy & Program


When it comes to Information Security management, one of the most interesting and difficult task is developing an Information Security strategy and program. Why is a Strategy required? Let’s see the following statement:
Developing and maintaining an information security strategy is essential to the success of your program. This strategy serves as the road map for establishing your program and adapting it to future challenges. By following a consistent methodology for developing your strategy, you are more likely to achieve high-quality results during the process and complete the project in a timely manner[1]
So, what is the difference between a strategy and a program? Well, they are related in the following way:
  • An Information Security strategy will set long-term objectives (or security objectives), normally by determining the Organizations current state and the desired state in information security matters. The planning horizon is normally for 5 years.
  • An Information Security program is what will take the Organization from that current state to the desired state, by executing short, long and mid-term projects. 


The program should be based on a Strategy. We know that the core of any security program will be Risk Management, Policies, procedures & standards, information security organization structures, information classification and awareness & education. But depending on the Organization and where it wants to set its security objectives, these “core” foundations will be modified depending on their strategy.

For starters
The following steps are the basic foundations for a successful Information Security Strategy (ISS):

Step 1: Strategic Alignment
Creating an ISS is not an easy thing and it’s not 100% Information Security related either. A good ISS has to be aligned with the business process and objectives of the Organization that we are creating it for. In other words, we have to know and understand the Organization’s mission and align our ISS that same way. This is not an easy thing but it is critical.
Step 2: Executive Management Support
Another key of success is having Executive Management support. Now again, this is not easy, but is one of the most important things. Management must understand that Information Security is not a bunch of firewalls, Antivirus software and having strong passwords. Information Security is a living thing that requires its management, hence, a definition for Information Security Management would be all the activities that properly identify and value an Organization’s information assets and that together, provide confidentiality, integrity and availability to them.

A Steering Committee can be established with Executive Management to formally include them in the process (basis for an Information Security Governance initiative).
Step 3: Regulatory Requirements
And finally, what are our regulatory requirements? Based on the Organization’s business process and objectives, we will be able to define what regulatory requirements the Organization must be compliant with. For example, if an Organization sells Health related products (drugs or equipment), they must comply with FDA requirements. Also, if they handle Protected Health Information (PHI), they must also be compliant with HIPAA.

How to Develop a Strategy
So, once we have Executive support, we know the Organization’s business objectives and regulatory requirements, we need to know two things: where we are standing and where we want to go to.
Step 4: Information Security Strategy Framework
So, to know where the Organization is standing in Information Security matters, we need to compare its current state against Industry’s best practices (standards and frameworks). These must be the same ones that we are going to use to define the desired state. Why? Because by using the same standards and frameworks, we can perform a more accurate GAP analysis (it’s like comparing apples with apples).

So what best practices should we use? Again, depends on what are the Organization’s objectives. Normally, I would recommend on a standard / frameworks like NIST, ISO 27.002, CMMI, CobiT, ITIL, COSO and then add required controls by regulatory requirements (call it PCI, HIPAA, FDA, FFEIC). Normally a Mapping analysis between different standards and regulatory requirements will be necessary in order to avoid control repetition.


Also, it is possible to combine two or more standards or frameworks. For example, we can use the ISO 27.002 11 security control clauses in combination of Capability Maturity Model (CMM) where for each clause we could estimate the current state:

The combination of all the standards and frameworks creates what I like to call the “ISS Framework” that we will use to define the security objectives. Also this can be known as the Corporate Security Framework.

Step 5: Current State
Now that we have defined an ISS Framework, we need to determine our current state. In order to do that, two things must be done: a GAP analysis against the ISS Framework and a Risk Analysis.

It recommended that a Risk Assessment framework is used (ie NIST SP800-30, CobiT, RiskIT, etc.). Also, the ISS Framework controls can be included as part of the Risk Analysis when performing the Vulnerability Identification (from NIST SP800-30), since missing or not fully implemented controls introduce vulnerabilities and resulting risks.

The scope of the Risk Assessment must include all applications and devices that transmit, process or store critical information (i.e. critical applications and general support systems). In order to do this, the following conditions have to be met:

  • Information assets and resources properly identified
  • Information assets and resources are properly valuated 
  • Information assets are classified according to its confidentiality, integrity and availability requirements.
Without those conditions, a sound ISS cannot be achieved.

The output of the Risk Analysis (plus GAP analysis) will be the current threat profile and the identified risks to the Organization. If we are using another standard or framework, like CMMI, then we would need to assign a level to each control clause based on the results obtained.

An important thing to define in this step is the Risk Appetite of the Organization. When we talk about the risk appetite, we are talking about the amount of risk an enterprise is prepared to accept. Risk appetite can and will be different amongst enterprises, hence there is no absolute norm or standard of what constitutes acceptable and unacceptable risk.

Step 6: Desired State
With the Organization actual status, we can define the desired state. Again, we have to use the same ISS Framework we defined in step 4. Now it’s time to define the Information Security objectives (long term) for the Organization. For example:
  • Become PCI compliant.
  • Become HIPAA compliant 
  • Implement Asset Management control clause (at least level 4) 
  • Implement Business Continuity Management (at least level 5) 
Two critical things should be considered when defining the objectives: the Risk Appetite of the Organization and the strategic alignment.

Risk appetite should be considered since it will modify the desired state. An Organization with a greater risk appetite will not fully implement all controls, while one with almost cero risk tolerance will implement almost every control.

Finally, objectives that do not support the Organization’s business strategy should not be considered.

Build the Roadmap
Now that we have the desired state or the information security strategy, what will take us from the current state to that desired state is the Information Security Program (ISP). The ISP consists of all the activities that together provide Information Security. Normally, it will consist of short and medium term projects with some of them being recurring ones, such as Risk Assessments and Awareness & Education.
Step 7: ISP framework
It is important to define what framework we are going to use to develop the ISP. There is no straight answer here, we can have a custom made framework like 1) Plan / Organize, 2) Implement, 3) Maintain / Operate 4) Monitor / Evaluate or we could apply the PDCA (Plan – Do – Check – Act) from the ISO 27.001 standard.

Whatever is the framework that we apply, as long as it has a planning phase, execution phase, control phase and feedback / adjustments phase, it should work.
Step 8: Create the ISP
So, based on the Information Security long term objectives (desired state or strategy), we should break them down in different smaller projects that will help us achieve them. As it was mentioned before, these projects should be sized based on many factors, like funding’s, criticality, business objectives, resources available, technologies, etc. Normally, the ISP will involve 5 year projects (aligned to the 5 year planning horizon of the strategy) and a very important fact is that it is never definite. Why? Because of the nature of its contents: Information Security always changes!

So it is important to consider constrains that may appear when developing the ISP:
  • Law 
  • Physical capacity 
  • Ethics 
  • Culture 
  • Costs 
  • Funds 
  • Personnel 
  • Resources 
  • Capabilities 
  • Time 
  • Risk appetite 
What are the resources that will be used to achieve various parts of the strategy and use in the ISP are, among others:

  • Policies 
  • Standards 
  • Processes 
  • Methods 
  • Controls 
  • Technologies 
  • People 
  • Skills 
  • Training 
  • Education 
  • Other organizational support and assurance providers 
So, continuing with our example before:



Step 9: KPI
It will be required to establish a way to analyze the progress of the ISP execution. In order to achieve this, Key Performance Indicators must be planned, established and executed. Which KPIs must we use? Well, all projects must be tracked for Schedule and Costs. Other ways that this can be achieved is by using CMM to monitor how a specific area evolves.
Step 10: Do – Check – Act
Once we have the ISP ready, according to the Plan - Do - Check - Act framework we should:
  • Do: Execute the program accordingly. 
  • Check: Monitor the progress of the program frequently 
  • Act: On deviations found, take the necessary corrective actions in order to get on track
By Agustin Chernitsky

[1] Mather, Tim & Mark Egan, Developing Your Information Security Program, Prentice Hall PTR, USA, 10 December 2004