Top 3 Components of a Healthy Security Program
The Primary Security Program Components Include:
1. The structural makeup of the security program
This determines what the structure of the program will be.
Will there be one security officer for the whole organization or one for each business unit? What are the scope of the program, its mission and mandate, and overall roles and responsibilities?
In most organizations, the structure of the security program will be illustrated in the information security program charter document, as well as in the security governance section of an organization’s security policies.
2. The functional capability of the security program
Any healthy security program, regardless of its structure, must be able to perform 4 core functions on a repeatable basis:
a) Set a benchmark for security
- Enable a point of measurement
- The benchmark is established through a suite of security policies, standards, as well as program and process documentation
b) Measure against a benchmark
- Establish processes to consistently measure the environment against the benchmark
- Measurement is done through the security risk management program for the organization
c) Enable management decisions
- Reports should measure environment against benchmarks
- Enables management to make informed decisions
d) Support execution of decisions
- Performance of security-specific tasks associated with the security program
- Support the business in the implementation of their security remediation activities as required
3. Establishes and manages the security architecture for the organization
Security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards.)
An example of preventive safeguards is a lock on the door or password to get into a system, while an example of a detective safeguard is a video monitoring system or logging of access to an application.
Security Program Components Conclusion
A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure they are appropriate for the environment. This enables CISOs in charge to provide leadership clear information and findings for management to make informed decisions.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles