Security control implementation is where the rubber meets the road for all of the effort that has been conducted regarding information categorization and security control selection with business and IT users. Security control implementation must be carefully planned and communicated with the project team that is implementing the new information system, ensuring that no information security control is left unimplemented.

Now that we are at the point in the system development life cycle where we are working to develop the information system, we must ensure that the project's scope includes the security control implementation as part of the overall project scope. While the information security professional will play an important role in the implementation of the security controls, this will be a team effort. Security controls must be assigned to the appropriate IT team member to ensure that that the correct subject matter expert is involved.

You should work to categorize your security controls so that you can more easily provide the controls to the subject matter experts for implementation. As an example, controls related to network security will not typically be implemented by your web applications team. Following are some categories that you can split your security controls into so that you can more easily manage them with your IT teams:

• Physical and environmental: Electrical, data center, physical access, and environmental
• Documentation categories: User rules for behavior, requirements documents, configuration management plan, design document, and IT contingency plan
• Roles: Chief information officer, chief information security officer, ISSO, system administrator, application developer, network engineering, project manager, information security, and application administrator
• Technical Controls: Access controls, collaborative computing, wireless, encryption, account management, auditing, authentication, DMZ, disaster recovery, mobile devices, VoIP, servers, and workstation

The information security professional must ensure that they are able to fully support the rest of the technical team during the implementation of information security controls in order to ensure that the controls are adequately implemented.