Take Into Account Considerations Beyond Technology
Technology is generally considered a cost-center in most companies, since the department does not generate revenue. For CIOs / CISOs / CTOs / IT Directors, the challege is to demonstrate maximum value to the company, so that technology budgets are protected. From the IT security side of things, having proper documentation is part of an overall risk management strategy. Having comprehensive IT security policies, standards, guidelines and procedures can provide evidence of due care and due diligence, which is crucial if your company is ever breached or sued for the loss of sensitive customer data.
IT Security Program Development - Starts With The Business
1. High-level business guidance is a necessity to create a viable IT security program. This executive-level direction establishes the big picture goals that IT security capabilities will need to enable.
2. Many companies define a maturity state target for their IT security programs. Maturity levels help quantify risk – lesser mature programs will inherently accept greater risk than more mature programs. These maturity levels are commonly defined by ISO 15504-2, COBIT, or CMMI for Services frameworks.
3. When you tie in a targeted maturity level with an understanding the company’s vision, mission and strategy, you can clearly develop a business plan that makes IT security a strategic asset to enable growth and minimize risk to the company.
4. From the perspective of a company’s IT security program, what brings it all together is the policies and standards. This documentation provides the management, operational and technical direction for IT security technologies and activities.
5. Procedures are where “the rubber meets the road” for IT security. Procedures enact the requirements called out in the IT security policies and standards to create a formal method to do something.
Working together, this program documentation helps create evidence of due care and due diligence - critical to proving your company took reasonable precautions to prevent a cybersecurity incident!
Cybersecurity Program Development - Due Care Considerations
Defined maturity targets influence business planning.
Business plans document milestones to meet maturity targets.
Business plans provide scoping for the IT security program.
Business plans establish evidence of due care.
Procedures establish evidence of due care.
Cybersecurity Program Development - Due Diligence Considerations
Procedures direct the workflow for staff to follow.
Managing exceptions to standards documents the management of risk.
Evidence of procedures being followed establishes evidence of due diligence.