Security doesn’t just happen. It’s not a single event. Security, or more precisely, the pursuit of security, is an ongoing process. As Bruce Schneier, internationally renowned security technologist said, “Security is a process, not a product.” It is a process of continually working to reach your organization’s security goals. Every organization is different and security goals likewise differ among organizations. The process of reaching security goals is a continual process that requires specific direction.

Any organization’s success at satisfying security goals depends on three main elements. A weakness in any of the three elements makes it more difficult to comply with your organization’s security requirements. These three elements include:

• Clearly stated security goals—You must have a clear security goals document that the organization’s upper management fully endorses. A lack of clear goals means you don’t really know what you’re trying to do, how you’re doing it, and when you’re done. A lack of upper management support means you’ll likely encounter resistance when you try to implement any new controls. In fact, trying to fulfill the responsibilities of a security practitioner in an organization without upper management’s support is difficult at best.

• Documented plans—A plan is a series of steps designed to achieve a goal. You should have a plan for each security goal. Each plan may have additional guidance documents that provide more details to meet security goals.

• Communication with stakeholders—A stakeholder is anyone who has an interest in, or is affected by, some activity. Documented plans are worthless if no one who is doing security work knows about them. A common point of failure in security administration is a lack of direction. In many cases, a lack of direction comes from just not knowing what plans have already been made.

An organization that desires to implement solid security in the IT infrastructure should commit to fulfill each of the three elements of security. Follow the list in order. Start with stating security goals that are appropriate for the organization’s culture and compliance requirements. Next, develop any additional guidance documents. A solid security plan will include several types of guidance documents. Good security training should stress the importance of compliance and cover the important parts of these guidance documents:

• Security policy—A high-level statement that defines an organization’s commitment to security and the definition of a secure system, such as the importance of changing passwords periodically

• Security standard—A collection of requirements the users must meet, typically within a specific system or environment, such as changing a Windows password every 6 months

• Security procedure—Individual tasks users accomplish to comply with one or more security standards, such as the steps to change a password

• Security guidelines—A collection of best practices or suggestions that helps users comply with procedures and standards, such as suggestions on how to create strong passwords

Clearly stated goals, complete plans and guidance documents, and a strong commitment to training and communication can dramatically increase the success rate of meeting your security goals. Following these steps will put you well on your way to a secure environment.