Three pillars of information security:
- People
- Process
- Technology
Leadership commitment:
- “Tone at the top”
- Information security policy and objectives
- Assigning responsibility and authority
- Resource allocation
- Performance reviews
- Ensuring accountability
Information Security Manager or CISO:
- Heads department responsible for implementing information security program
- Directs planning, implementation, measurement, review, and continual improvement of program
IT user:
- Understand policies
- Conduct security/risk assessment
- Design effective security architecture
- Develop SOPs and checklists
- Implement controls
- Report incidents
- Conduct effective change management
Business user:
- Security awareness and training
- Follow information security policy
- Develop and implement secure business processes
- Role-based access control and periodic reviews
- Reporting incidents
Information security program
- Assessing security risks and gaps
- Implementing security controls
- Monitoring, measurement, & analysis
- Management reviews and internal audit
- Accreditation/testing
EmoticonEmoticon