In this chapter, you will uncover an overview of information security program development and understand the methods, tools, and techniques available for the development of information security programs. The main objective of information security program development is to achieve the objectives of information security in an effective and efficient manner. Program development includes the processes of planning, implementing, testing, monitoring, and controlling activities related to information security. A structured security program will help an organization manage its security initiatives in an effective manner.

The following topics will be covered in this chapter:

• Information Security Program Overview
• Information Security Program Resources
• Information Asset Identification and Classification
• Information Asset Valuation
• Industry Standards and Frameworks for Information Security
• Information Security Policies, Procedures...

An information security program covers all the activities and processes that collectively provide security services to an organization. Some common activities of security programs include the design, development, and implementation of security-related controls throughout the organization. Controls can be in the form of simple policies and processes or advanced technological structures. Depending upon the size and nature of the organization, a security program can be managed by either a single individual or a specific team headed by the chief information security officer (CISO).

Figure 5.1: The role of the chief information security officer

A security manager is expected to have thorough knowledge of information technology as it helps to understand how changes in an organization's technical environment can affect its security posture. An information security manager is required to evaluate the risk of technology and...

The success of an information security program mainly depends on the available resources for information security management. Resources can be in the form of technologies as well as qualified employees. Apart from processes, policies, and people, an information security program involves a number of technologies.

An information security manager must be capable of making technical decisions to ensure that the deployed technologies are aligned with the information security program's goals and objectives. The following are some of the technological aspects that an information security manager needs to deal with:

• Placement of firewalls
• Antivirus/antimalware systems
• Security information and event management (SIEM) software
• Tools for AppSec and DevOps

Information asset classification refers to the classification of information assets based on their criticality to the business. These assets can be classified as confidential, private, or public. This classification helps organizations provide the appropriate level of protection for their assets. More resources should be utilized for the protection of confidential data compared to public data.

Benefits of Classification

• Classification helps to reduce the risk of under-protection of assets. Assets are protected in proportion to their criticality.
• Classification helps to reduce the cost of over-protection of assets.

Understanding the Steps Involved in Classification

A CISM aspirant should understand the following steps for the successful implementation of an information classification program:

Step 1: Create an inventory of all information assets the organization possesses.

Step 2: Establish ownership...

Asset valuation provides a cost representation of what the organization stands to lose in the event of a major compromise. From the risk management perspective, assets are generally valued based on the business value and not only on simple acquisition or replacement costs. Business value is measured in terms of revenue loss or other potential impacts when an asset is compromised.

For example, suppose software is acquired at a cost of $1,000 and it generates revenue of $5,000 per day. In this case, the business value will be $5,000 per day and not merely the cost of acquisition ($1,000).

Determining the Criticality of Assets

The best method to determine the criticality of assets is a business impact analysis (BIA). A BIA determines the critical business assets by analyzing the impact of the unavailability of assets on business objectives. In case of a disaster, identified critical assets are recovered and restored as a priority to minimize the damage...

A framework is a structure or outline that supports the implementation of an information security strategy. Frameworks provide the best practices for a structured security program. They are flexible structures that any organization can adopt as per its environment and requirements. Governance frameworks such as COBIT 5 and ISO 27001 are examples of widely accepted and implemented frameworks for security governance.

Generally, a security framework has the following components:

• Technical components: Technical components are parts of the framework that cover technical and IT aspects of security. Examples of technical aspects include configuration, monitoring, and maintenance of technical components such as firewalls, intrusion detection systems (IDSs), and SIEM. It is very important to have assigned ownership for each technical asset to ensure proper risk treatment and compliance with security policies.
• Operational...

A security program is implemented through a specific set of policies, standards, and procedures:

• Policies: These are sets of ideas or strategies used as a basis for decision-making. They are high-level statements of direction made by management.

There can be multiple policies at the corporate level as well as at the department level. It should be ensured that department-wise policies are consistent and aligned with corporate-level policies.

• Standards: These are mandatory requirements to be followed to comply with a given policy, framework, certification, or regulation. Standards provide detailed directions for compliance.

A standard helps to ensure the efficiency and effectiveness of processes, resulting in reliable products or services. Standards are updated as and when required to incorporate new processes, technologies, and regulatory requirements.

A standard is a dynamic document and...

For the effective implementation of a security program, it is recommended to develop a roadmap covering the different stages with clear objectives to be achieved during each stage. The initial stage of program development is to have discussions with the concerned stakeholders, such as business units, legal, HR, and finance. This will help the security manager determine the security requirements of different units.

In the second stage, security requirements should be formalized and the basic security policy should be drafted, and approval should be obtained from senior management. A security steering committee consists of officials from different business functions. It plays an important part in the finalization of security requirements. In the third stage, members of the security steering committee emphasize the promotion of security awareness as a part of the policy and conduct security reviews to see whether they are in compliance...

A metric is the measurement of a process used to determine how well it is performing. Security-related metrics indicate how well controls are able to mitigate risks. For example, a system uptime metric indicates whether the system is available to users as per the requirements. The following are some examples of security-related metrics:

• Percentage of critical servers for which penetration testing has been conducted
• Percentage of high-risk findings closed within a month
• Percentage of deviation from the information security policy
• Percentage of computers having unsupported operating systems
• Percentage of computers with updated patches
• Average response time to handle incidents

Objective of Metrics

By using effective metrics, organizations evaluate and measure the achievement and performance of various processes and controls. The main objective of a metric is to help management in decision-making and to facilitate...

In this chapter, you obtained an overview of information security program development. This chapter will help CISM candidates understand the methods, tools, and techniques important for developing an effective and efficient security program. This chapter will also help the CISM candidate define an information security program roadmap.

The next chapter will cover the management of an information security program.

1. What is the most important factor to determine the appropriate levels of information asset protection?
   1. A vulnerability assessment of assets
   2. A feasibility study report
   3. Classification of assets
   4. Valuation of assets
2. Information asset classification helps to determine:
   1. The vulnerability of assets
   2. The impact of a compromise
   3. The value of assets
   4. The annual loss expectancy
3. What is the main reason for information asset classification?
   1. To maximize the utilization of resources
   2. To adhere to the IS policy
   3. To determine IT capability
   4. To determine the protection level
4. What is the most important factor to determine the classification of data?
   1. An assessment of impact by the data owner
   2. Requirements of the information security policy
   3. The existing level of protection
   4. An assessment of impact by the security manager
5. What is the most important factor in achieving proportionality in the protection of information assets?
   1. Classification of assets
   2. A vulnerability assessment
   3. Change management...