Security Program Scope

In the last post I wrote about the importance of the Security Program Development and the easy way to do it if we use a standardized methodology like CMMI or ISO 27001, although each company is unique and they have to adapt the policies and procedures to their business. In addition, we shouldn't forget that the board of directors must take part in the development of the Security Program to meet their business needs and requirements. While in this new post I want to speak about the Security Program Scope that it is the first step we have to take to limit the extent of the Security Program due to the fact that sometimes is too ambitious and therefore unmanageable.

The scope of our security program could involve several factors:
  1. The scope could involve people whose activities and actions actually have a direct or indirect impact on the objectives. For example, these could be the business relationships between different managers or it could be actions of remote users.
  2. The scope could involve the development process itself. Things to add a success of development process is make sure we have all our customers and employees on board, we have buy-in operation management or we have ways to communicate during time of crisis.
  3. The scope could involve the information security policy. Within the scope the policy must meet regulatory and balancing requirements, in other words, integrations in balance between business needs and information security needs.
  4. The scope could involve the available technologies and systems that the company has.
To formulate an standpoint, as far as the security program goes,

the scope = people + process + infosec policy + available technologies and systems

wherever we have in place at any given moment in time this should be the scope of our program.

Therefore, if we take this scope, we can add to it the overall management or executives objectives or management strategic, to deliver our information security charter. The charter should be understood between management and all the individuals who are part of the security program scope:

Scope + Management Objectives = InfoSec Charter

The ISACA actually describes with good detail what they consider a mature information security program:

IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analysed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organisation-wide.”

Best regards my friend and remember, definition of the scope is the fist step we have to take if we want a successful security program.