The Information Security Program and How a Security Assessment Fits In
65
Clients should not feel blindsided by anything in the final report resulting
from the assessment.
•
Preparation should be emphasized.
In each of the first four phases, there
is some element of preparation, which is a key concept in this security
assessment methodology. Preparation is in the form of doing research on
companies and preparing question sets for meetings with clients. Prepa-
ration is important because it enables you to ask more informed questions
during the assessment. Instead of wasting time on things you could have
learned by preparing, you can spend the time in interviews talking about
more meaningful aspects of the business. In addition, people are busy, so
it is in everyone’s best interest to use time with the client efficiently. Good
preparation allows you to do this.
EXECUTIVE SUMMARY
This chapter was a discussion of the definition of information security programs and
their key components, how a security assessment fits in, why companies would
conduct a security assessment, and the high-level security assessment methodology.
An information security program consists of people, processes, and technology
and is essentially the conglomeration of all steps a company takes to protect its
information assets. The key components of an information security program include:
•
Security strategy —
Central component of an information security pro-
gram; overall information security strategy based on the security risks the
business is facing
•
Security policies and procedures —
Security requirements and processes
to implement the security strategy
•
Security organization —
Personnel who ensure that the information secu-
rity program is up to date and who conduct enforcement activities related
to information security
•
Executive support —
Support from management that is critical in helping
to ensure that employees take the information security program seriously
•
Toolsets —
Tools to automate tasks that are necessary for enforcement of
good security practices but are virtually impossible to perform manually
•
Enforcement —
Proactively checking for compliance with security poli-
cies and procedures to ensure that the information security program is
effective
Due to the dynamic nature of companies, security risks are always changing.
Consequently, the information security program should be constantly evolving to
address current risks. The security assessment process is essentially the process for
ensuring that the information security program is addressing the security risks a
company faces. It is a constant evaluation of the information security program to
ensure that security measures are aligned with the security risks facing a company.
AU1706_book.fm Page 65 Wednesday, July 28, 2004 11:06 AM