Building an Enterprise Security Program in Ten Simple Steps

The complexity of today's technologies, regulations, business processes, security threats and a multitude of other factors greatly increases the risks faced by businesses today. These tips for building an enterprise security program (ESP) can help.

By Yesh Dattatreya

Wed, October 15, 2008CIO Business information exists in a complex ecosystem, teeming with a multitude of technologies, regulatory requirements, standards, business processes, vendors, security threats, system vulnerabilities, and market pressures. This information moves through elaborate workflows across networks, multiple applications, databases, servers, and across political boundaries. In today's world, much of this information has to meet the three information security tenets: availability, integrity and confidentiality.

Availability means that information must be available in a timely manner by those who need it. Integrity means that information is complete and free from tampering and confidentiality means that information must be secured from unauthorized access.

The following steps provide guidance for implementing an enterprise security program (ESP), a holistic approach to IT security.

Step 1: Establish Information Security Teams

In his book Good to Great, Jim Collins extols the virtues of having the right people on board before embarking on any corporate journey. The ESP journey is no different. Broadly speaking, the company needs to form two teams: the executive team and the cross-functional security team. The executive team is responsible for establishing the mission, objectives and goals for the ESP, and is usually comprised of senior-level executives. This team is also responsible for setting top-level security policies, establishing organization risk thresholds, obtaining funding for the ESP, and creating the cross-functional security team.

The cross-functional security team, itself made up of sub-teams, is responsible for day-to-day IT security operations, which include managing IT assets, assessing threats and vulnerabilities, managing risks, establishing policies, setting up procedures and controls, conducting internal audits, and providing training.

Step 2: Manage Information Assets

Managing information assets starts with conducting an inventory. This inventory should document hardware, applications (both internal and third party), databases, and other information assets (e.g., network shared folders, ftp sites etc.). Once the inventory is complete, each asset must be assigned an owner and/or a custodian. An owner serves as a point of contact for the assigned asset, whereas a custodian has responsibility for the stored information.

The assets are then categorized into different levels of importance, based on the value of the information contained in them and the cost to the company if an asset is compromised.

Step 3: Decide on Regulatory Compliance and Standards

Regulations are mandatory, legal requirements. Healthcare providers must implement Health Insurance Portability and Accountability Act (HIPAA) guidelines, and most companies in financial services must implement Gramm-Leach-Bliley Act (GLBA). Standards—such as Payment Card Industry (PCI), ISO 27001—are industry best practices. The executive team determines which regulations and standards must be implemented.

Loading...
Security MarketSpace
White Papers
5 Tips for Data Loss Prevention Solutions
RSA® The Security Division of EMC has identified 5 key considerations to help organizations simplify the evaluation process for selecting a DLP solution that is right for their business. Learn more »
Secure Training Videos to Prevent Theft
Learn how Dream Force extended their marketing reach without being constricted. Learn more »
Prevent Intellectual Property Theft
Learn what the key components were in Hock International's purchasing decision. Learn more »
Webcasts
Managing Client Systems in the Enterprise
Why Data Loss is Increasing--and What You Can Do About It
Maximizing the Business Value of the PC Infrastructure
Reduced IT budgets have CIOs hunting for ways to maximize their PC infrastructure, while saving money and IT staff time. Diane Bryant, CIO of Intel Corp., talks with CIO magazine's Gary Beach about how her organization is addressing these challenges. Learn more »
 
SPONSORED LINKS
 

Data Loss Prevention: A Better Way to Approach Security

Software Executives: Take Control of Your Organization's Code Quality

Delivering Secure and Reliable Data through Spreadsheet Automation

Taking the Service Desk to the Next Level

Why Data Loss is Increasing--and What You Can Do About It

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Mid-Sized Company CIO Community: infoBOOM!

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Accenture IT Consulting: Logical meets technological. More . . .

White Paper: 8 Key Ingredients to Building an Internal Cloud

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

Top 10 Business and IT Drivers for the Wealth Management Sector

Bottom-Line Benefits of Virtualization

White Paper: The Building Blocks for Cloud Computing

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Learn about The Information Technology Infrastructure Library.

Achieving Pervasive Performance Management

Gartner Shares Predictions for 2009

64-page prescriptive guide to security, compliance, and IT operations.

Stop Application Fraud at the Source with Device Reputation

Ready to Act: 3 Recommendations for Agile Processes

Automating the Generation and Secure Distribution of Excel Reports

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

Top-line Performance that's Bottom-line Efficient

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

8 Key Ingredients to Building an Internal Cloud

Data Center Optimization: Three Key Strategies

A CIO Executive Guide: Cloud Computing Looms Big on the Horizon

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Tips for successful virtualization management.

Smart Decisions: The Role of Key Performance Indicators

Reduce risk, gain agility. See how Progress can help your business.

Improve ROI, lower TCO and reduce energy consumption.

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords