Goals are much like policies; they should be broadly defined, describe a desired outcome, be to the point, and (in most cases) be technology-neutral.
Information security strategic plans must not exist in a vacuum. Instead, the information security organization is typically part of a larger unit (IT, Internal Audit, etc.), which in turn is part of the overall organization. Any goals and objectives that are defined in the information security plan should be in alignment with those organizational goals.
In order to develop an effective information security plan that will be carried by the organization as a whole, it is often best to develop the plan top-down. In other words, start with the organization's goals and derive your information security goals from them. It is completely acceptable to identify some information security goals that are not derived directly from your organization's strategic plan, but the information security goals should never be in conflict with the organization's goals.
Goals are made specific by defining realistic and measurable objectives. Each objective typically leads to one or more initiatives that play a role in achieving the objective. By measuring how well initiatives are achieved, a picture forms of how well goals are realized.
Many organizations, mostly governmental bodies, publish their information security strategic plans to the public and they can be used as a reference.
So: how would this work? Let's give it a go. Some conventials. Roman numerals are used to enumerate goals (I, II, III, IV, etc.). Latin numbers are used to enumerate goals (1, 2, 3, 4, etc). Latin letters are used to enumerate initiatives (a, b, c, d, etc.). Note that Objectives are listed under their respective Goals, but since initiatives can contribute to objectives associated with multiple goals, they are numbered independently.
I). Improved network forensics capabilities.
I.1) Capturing of session data on networking core
o Collect network flow data from all network core devices by end of month 9
I.2) Logging on all network devices, starting at the access layer.
o 100% of core switches, routers, and firewalls to generate logging by end of year 1
o 100% of all network components to generate logging by end of year 2
I.3) Central collection of all security logs.
o 100% collection of all generated network device logs by end of year 1
o 100% collection of all server logs by end of year 1
a) Purchase, install and configure a server to receive, store, analyze and process network flow data and log data (contributes directly to I.1 and I.3)
b) Discover and document all sources of security logs (prerequisite to c)
c) Configure all security log sources to generate logs and to transmit them to central log collection point (contributes directly to I.1, I.2 and I.3)
d) Configure all core network devices to generate session logs and to forward them to central log collection point (contributes directly to I.1, I.2 and I.3)
The initiatives can now be used for budgeting purposes and to establish an operational plan.