Information Security Resources
We covered Information Security "Basics" in another issue, and thought we'd piggy-back on that with some information regarding the allocation of resources. You need to think about securing the business, and not just the computers and network to fully protect information assets.
Once you have grasped the "Basics", you need to develop the plan to implement your security strategy - that means the allocation of human resources. To achieve greater efficiency and lessen the staffing impact, you need to implement solid hardware and software standards, streamline processes, and define metrics to establish the baseline and continually measure progress.
Then, as mentioned in the "Basics" issue, ...management must also learn to manage "smarter". The multitude of sound business practices required to address the major audit concerns and issues, and the associated workload to do so, mandates that management be imaginative in administering the responsibilities to put the sound business practices initially in place... and to maintain them on an ongoing basis, leadership must allocate the human resources to get it done. It is very important to allocate an appropriate percentage of employees to the information security challenge, especially in the area of technical support.
The following areas need to be staffed / represented / addressed:• A Chief Security Officer (CSO) should be appointed, or at a minimum someone should be officially designated to be the point person for Information Security... there needs to be a champion.
• Policy development.
• Ongoing employee awareness program.
• Administration, e.g., problem resolution, rights and privileges, customer service.
• Architecture, e.g., security strategy, standards, migration planning, project management.
• Compliance and reporting, e.g., metrics, monitoring, reporting.
• Technical support, e.g., virus control, firewalls, product evaluations, help desk.
Information Security and protection cannot be assured without the implementation of the "BASICS", and the appropriate allocation of the "resources".