The maturity of your organization will directly impact the progress that you will be able to make regarding the planning and implementation of your information security program.

In the following list, you will find some questions that will help you to think about your organization's current maturity. You will want to ask yourself similar questions to determine where you are staring from when planning your information security program.

Where is your organization now?

• People:
  • Does your organization have an existing information security capability? What is that capability?
  • Is this capability technical in nature only or does information security have a relationship with the business users?
• Process:
  • Is your organization's information security program chartered and supported by senior leadership?
  • Do you have organization-wide information security policies?
• Technology:
  • What information security tools has your organization implemented?
  • Are those tools properly management and is continuous monitoring active?

You will want to define for yourself where you want to take your information security program. You should break up your planning into manageable durations and chunks of work to avoid boiling the ocean. In the following list, you will find sample goals for an information security program.

Where do you want your organization to be?

• First 90 days:
  • Users well trained in information security principles
  • Information security is part of the decision-making process
  • Assessment of organizational risk conducted

• Six months:
  • Development and acceptance of information security policies
  • Information security is part of the system's development life cycle and change management process
• Year one:
  • Full adoption of information security policies
  • Repeatable information security metric reporting
  • Operation security—security tools, security operations center