INITIATION.
- Ensure upper management support
- Define the mission, vision and goals of the security program
- Review all current corporate policies, standards and guidelines
- Conduct an inventory
- Begin development of comprehensive risk management program
- Review regulated data controls
- Review strategic data controls
- List all third parties that the company is doing business with
- Assess Threats, Vulnerabilities and Risks
- Identify existing people and tools that could be brought in to support security
- Write security objectives
- Write security charter
INITIAL OPERATING CAPABILITY.
- Ensure upper management support
- Lay out an integrated foundation and framework for expanding the program in alignment with strategic business objectives
- Complete comprehensive risk management program
- Write corporate security policies, if necessary
- Implement Security Controls
- Deploy production sensor capabilities to the initial set of monitoring points
- Begin development of security standard operating procedures and run books
- Develop training classes, exercises and seminars for employees, contractors, executives and/or board members
- Develop ongoing security awareness plan
- Establish an incident tracking/case management capability
- Begin sustained detection, analysis, and response operations
- Develop plan for executive reporting on metrics and security maturity
- Write Information Security Standards and Guidelines
FULL OPERATING CAPABILITY.
- Ensure upper management support
- Solicit feedback from the business units
- Adjust operations procedures and capabilities, if necessary, given the deltas between the initial vision of security and the operational, resourcing and policy realities
- Create an Incident Management and Business Continuity Plan (including Disaster Recovery Plan)
- If necessary, expand to 24×7 operations
- Deploy monitoring capabilities to an expanded set of monitoring points as appropriate
- Expand log collection and analytics
- Optimize system functionality and update documentation
