Developing a strategic information security plan
With the summer approaching rapidly, it is time to start working on my next strategic plan. As a refresher from business school: strategic planning is the process by which an organization's long-term goals and objectives are identified and documented. Exactly how long "long-term" actually is depends on your environment. In my case, working of a three year strategic plan seems to make the most sense.
Goals are much like policies; they should be broadly defined, describe a desired outcome, be to the point, and (in most cases) be technology-neutral.
Information security strategic plans must not exist in a vacuum. Instead, the information security organization is typically part of a larger unit (IT, Internal Audit, etc.), which in turn is part of the overall organization. Any goals and objectives that are defined in the information security plan should be in alignment with those organizational goals.
In order to develop an effective information security plan that will be carried by the organization as a whole, it is often best to develop the plan top-down. In other words, start with the organization's goals and derive your information security goals from them. It is completely acceptable to identify some information security goals that are not derived directly from your organization's strategic plan, but the information security goals should never be in conflict with the organization's goals.
Goals are made specific by defining realistic and measurable objectives. Each objective typically leads to one or more initiatives that play a role in achieving the objective. By measuring how well initiatives are achieved, a picture forms of how well goals are realized.
Goals are much like policies; they should be broadly defined, describe a desired outcome, be to the point, and (in most cases) be technology-neutral.
Information security strategic plans must not exist in a vacuum. Instead, the information security organization is typically part of a larger unit (IT, Internal Audit, etc.), which in turn is part of the overall organization. Any goals and objectives that are defined in the information security plan should be in alignment with those organizational goals.
In order to develop an effective information security plan that will be carried by the organization as a whole, it is often best to develop the plan top-down. In other words, start with the organization's goals and derive your information security goals from them. It is completely acceptable to identify some information security goals that are not derived directly from your organization's strategic plan, but the information security goals should never be in conflict with the organization's goals.
Goals are made specific by defining realistic and measurable objectives. Each objective typically leads to one or more initiatives that play a role in achieving the objective. By measuring how well initiatives are achieved, a picture forms of how well goals are realized.
When defining a strategic plan, care must be taken not to end up in a mindset that will reject anything that is not directly related to it. Your organization's daily operations must continue, and new things will pop up that must be addressed also. Especially in the information security field, where new threats manifest themselves daily, the strategic plan should not compromise the flexibility of your response organization. Having said that: the plan will provide guidance going forward and determine future directions.
Many organizations, mostly governmental bodies, publish their information security strategic plans to the public and they can be used as a reference.
So: how would this work? Let's give it a go. Some conventials. Roman numerals are used to enumerate goals (I, II, III, IV, etc.). Latin numbers are used to enumerate goals (1, 2, 3, 4, etc). Latin letters are used to enumerate initiatives (a, b, c, d, etc.). Note that Objectives are listed under their respective Goals, but since initiatives can contribute to objectives associated with multiple goals, they are numbered independently.
Goal:
I). Improved network forensics capabilities.
Objective:
I.1) Capturing of session data on networking core
o Collect network flow data from all network core devices by end of month 9
I.2) Logging on all network devices, starting at the access layer.
o 100% of core switches, routers, and firewalls to generate logging by end of year 1
o 100% of all network components to generate logging by end of year 2
I.3) Central collection of all security logs.
o 100% collection of all generated network device logs by end of year 1
o 100% collection of all server logs by end of year 1
Initiatives:
a) Purchase, install and configure a server to receive, store, analyze and process network flow data and log data (contributes directly to I.1 and I.3)
b) Discover and document all sources of security logs (prerequisite to c)
c) Configure all security log sources to generate logs and to transmit them to central log collection point (contributes directly to I.1, I.2 and I.3)
d) Configure all core network devices to generate session logs and to forward them to central log collection point (contributes directly to I.1, I.2 and I.3)
The initiatives can now be used for budgeting purposes and to establish an operational plan.
Many organizations, mostly governmental bodies, publish their information security strategic plans to the public and they can be used as a reference.
So: how would this work? Let's give it a go. Some conventials. Roman numerals are used to enumerate goals (I, II, III, IV, etc.). Latin numbers are used to enumerate goals (1, 2, 3, 4, etc). Latin letters are used to enumerate initiatives (a, b, c, d, etc.). Note that Objectives are listed under their respective Goals, but since initiatives can contribute to objectives associated with multiple goals, they are numbered independently.
Goal:
I). Improved network forensics capabilities.
Objective:
I.1) Capturing of session data on networking core
o Collect network flow data from all network core devices by end of month 9
I.2) Logging on all network devices, starting at the access layer.
o 100% of core switches, routers, and firewalls to generate logging by end of year 1
o 100% of all network components to generate logging by end of year 2
I.3) Central collection of all security logs.
o 100% collection of all generated network device logs by end of year 1
o 100% collection of all server logs by end of year 1
Initiatives:
a) Purchase, install and configure a server to receive, store, analyze and process network flow data and log data (contributes directly to I.1 and I.3)
b) Discover and document all sources of security logs (prerequisite to c)
c) Configure all security log sources to generate logs and to transmit them to central log collection point (contributes directly to I.1, I.2 and I.3)
d) Configure all core network devices to generate session logs and to forward them to central log collection point (contributes directly to I.1, I.2 and I.3)
The initiatives can now be used for budgeting purposes and to establish an operational plan.