Subscribe Advertise
Go to Preview
Login for full Magazine

May 2012 – Vol. 35 No. 5

Articles Header

  • General Management

  • Board

  • Human Resources

  • Operations

  • Marketing

  • In Every Issue

Columns Header
E-Newsletters Header
Archives Header
General Management
Safe and Sound
November 2010 – Vol: 33 No. 11
by Lee Buttke, QSA, CPISM, CISSP

IT expert offers framework for an effective information security program.

safe and sound

Information security is not often considered a critical part of an organization’s brand. But the safekeeping of an organization’s data and processes virtually shapes the way an organization serves its membership.

Having a well-planned strategy and framework will assist the organization in adopting the program and the operational aspects of security. Planning involves having short- and long-term goals that are well documented and align with the goals of the business. An effective approach for starting the planning process is to first review what existing security framework and policies are in place. A review of existing policies will allow you to gain an understanding of the potential threats, as well as safeguards defined to address these threats.

The security program review will provide you with actionable strategies for improving your security program and mitigating risk to your organization. Also, a review will allow you to consider what regulatory areas (FFIEC, PCI, etc.) are applicable to your organization to ensure that requirements are being appropriately met. The results of the program review and identification of any gaps will provide the basis for your strategic security plan. Below is a high-level summary of what you may want to include within an initial security program review.

• Define the information security program requirements and goals. Additionally, gather information on current or planned security initiatives and any particular areas of concern management may have about information security.

• Review your existing governance structure in relation to risk management and funding, and identify whether a security charter is in place. A security charter is a governance component that provides structure to the information security program, defines the program stakeholders and details how budgeting for projects will be determined.

• Focus on how security is integrated with the other business units and executive management. Review existing security program documentation and related controls. This should include policies, standards and procedures, as well as documentation pertaining to critical security processes, such as incident response and disaster recovery and change control. (Change control is an IT process whereby changes to system components are documented and tracked so that there is a back-out plan.)

• Identify areas of strength and weakness in security documentation and processes and analyze them against program goals and compliance requirements. In addition, prioritize gaps based on potential business impact and likelihood of process failure or exploitation.

• Remember to accentuate the processes, controls and policies you already have in place so you can build off them. The overall goal of the security program review is to document findings and recommendations, including detailed descriptions of the identified gaps and remediation strategies, as well as summary information that will provide insight to senior management on program strengths and weaknesses. The program review will assist in reducing risk and will support the development of an effective information security program with short-term and long-term components.

Short-Term Strategy

First, develop a short-term strategy to plan for and organize the work effort around the identified gaps from the program review. The short-term strategy should include all the gaps that can be effectively remediated within a typical timeframe of one year or less. Include projects in the short-term strategy based on project risk, cost and operational factors, as well as the ability to successfully complete the implementation within the allocated time period.

Develop the short-term strategy and review it with upper management before beginning to work on the larger long-term strategy. This will allow stakeholders the opportunity to provide feedback and provide you with the ability to get started on remediating the gaps identified from the security program review at the earliest opportunity.

Long-Term Strategy

Once the short-term strategy has been accepted by the security program stakeholders, you can begin working on creating the long-term strategy which will, at a minimum, incorporate security and compliance gaps identified as part of the security program review, as well as issues related to regulatory compliance. The long-term strategy is typically on a multi-year timeline and will include initiatives that have already been started by the organization, as well as remaining security initiatives that may require multiple years to complete.

Ensure the long-term strategy is documented in a way that will enable you to move projects around and re-prioritize security initiatives based on the changing needs of the organization and any new security concerns or risks. Take the time to ensure other critical stakeholders are periodically involved in the review of the strategic plan. You do not want to get too far ahead of developing a plan that is not accepted by the business. The strategic plan will help guide what information security projects need to be created to protect member data.

Making sure you align the strategic plan and security program with an information security standard is important to the success and viability of the program. Having a formal published framework or standard as the basis for the information security program demonstrates maturity and well-thought-out strategy to the security program stakeholders
and supporters.

The two most prominent information security standards are maintained by ISO (International Standard Organization) and NIST (National Institute of Standards and Technology). These two frameworks allow you to adopt particular domains or areas of the framework to implement within an information security program. Adopting a standard will assist the organization in developing the program and provide guidance in the technical and administrative controls that are needed to protect the organization’s critical assets and member data.

Your strategic plan should outline and define the governance and framework of your credit union’s program. One of the primary objectives of this plan should be to demonstrate how information security will support the business needs in protecting critical assets and member data. The plan should also provide a high-level outline of anticipated project staffing requirements (both internal and external) and a security charter. The charter will include program goals, governance, framework, responsibilities and team members. Additionally, the charter will establish the information security program from an overall organizational standpoint that ensures integration with executive management, aligns with the goals of the organization, and integrates with other business units.

Budget

With a long-term strategic plan in place, the next step is budgeting. From my experience, budgeting is often an area that is overlooked within any strategic plan and yet it is critical to the success of moving any information security program forward. Without a budget, even the best defined short-term and long-term plans will not succeed. Therefore, make sure to incorporate into your program a budgetary strategy that funds the projects that need to be completed to accomplish the short-term and long-term strategies.

A proven way of outlining and defining the necessary budget for a security program and the projects that make up the program is to adopt a process of creating business cases for each project you propose. The business cases will demonstrate to your stakeholders a well-thought-out process and assist you in obtaining the necessary funding to remediate gaps and ultimately protect member information.

A typical business case will incorporate the following information:

  • Project name: title for the project;
  • Project objectives: critical objectives that need to be achieved to remediate gaps identified, and how the project is associated with the overall security program;
  • Milestones: deliverables within each project that can be noted and documented to demonstrate each project’s progress;
  • Cost Factors: include whether a significant investment in hardware or software may be required;
  • Staffing: internal and external resource requirements for the project and
  • Security Expertise: skills specific to information security that may be required to successfully implement the project.

The ability to document sufficient information within each project’s business case will assist you in prioritizing the different projects and to work collaboratively with the business to obtain the level of funding needed to finalize the short-term and start working toward the long-term strategy.

The proposed approach will assist your credit union in developing a strategic plan to address information security. Remember to include stakeholders in the development of any plan or program, and to keep those stakeholders apprised of your planning efforts. Also, consider incorporating into your process a business-case approach to obtaining the budget that you need to address the short-term gaps and move your program forward in alignment with the long-term strategy that you have formalized. End of Article

Lee Buttke, QSA, CPISM, CISSP, is director of consulting at NetSPI, a privately held information security consulting company founded in 2001.

 

There are errors, please see below for details.

Your name:

 

Your e-mail Address:

 

Recipient's e-mail Address:

 

Subject:

 

Message:

 
Send