The CEO walks into your office/cube/dark cave. He has one of those looks on his face that does not bode well for you. He pauses, takes a breath, looks you straight in the eye and says, “We need an Information Security Program.”
You reply, “An Information Security Pro….what?”
He says again, “We need an Information Security Program thingy. All my CEO buddies have one. We need one. Figure it out. Get on it!” and leaves. No explanation of what this thing called an Information Security Program is and no guidance as to what he expects from you.
After fighting off those panicky feelings that threaten to cause you to run about and scream and shout. You fire up your friend Google and get to work trying to figure out what an Information Security Program is.
One good thing
This scenario may seem quite far fetched to you. Unfortunately, it probably isn’t. On the good side, the CEO wants it, or at least thinks he does. On the bad side, he doesn’t appear to have any idea what he is asking for and frankly neither do you.
What is an Information Security Program?
So you start searching away and come up with things like the NIST Information Security Handbook: A Guide for Managers and this paper by Bruce C. Gabrielson, PHD Information Security Program Development, both of which are great resources. However, as I was looking about, I came across the Univerisity of Iowa’s page that describes their Information Security plan. I really like what they call the Objective as a good general definition:
This program is a collection of policy statements, an architecture model, and a description of the approach taken at the University of Iowa for information security. Together, they describe administrative, operational, and technical security safeguards that must be implemented for systems that create, maintain, house, or otherwise use confidential or sensitive information.
The objective is to provide Business Value:
- Applications delivered to more individuals, more timely, with better/definitive data
- Broader deployment of services and data increases both the value and the risk
- Information security is crucial to this environment
- There are many layers of security involved, each managed in concert with the rest to provide “Defense in Depth”:
- Physical access to systems
- Server or host controls
- Client or workstation controls
- Data access controls (confidentiality)
- Policy & Procedures
- Network controls
- Employee practices
Management is responsible for taking the necessary steps to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data. Risks may include, but are not limited to:
- Unauthorized access to confidential information
- Compromised system security as a result of access by an intruder
- Interception of data on the network
- Physical loss of data center or computer equipment
- Errors or corruption introduced into systems
- Inadequate system administration practices
Responsibility for managing the Enterprise Information Security Program is described in Roles and Responsibilities for Information Security. This document will be reviewed and updated on an annual basis by the IT Security Officer. Documentation supporting compliance with regulatory controls, (e.g., memoranda received from service providers attesting to their security safeguards), will be maintained by the IT Security Office.
Great. Now what?
Okay. So you are saying to yourself, “That looks hard.” It is hard, but also necessary. We will be looking at some of the challenges in the future and some ways that we can overcome them.
I am really interested in your thoughts on this definition. Please leave them in the comments.