If you are reading this post you know that protecting our assets is a time consuming, resource consuming and money consuming but it is our goal and main task at the end. For this reason I would like to highlight the basic components that we should take into account to manage an InfoSec Program properly.
Information Security Awareness Program
We know that people are the weakest link in information security. How much is an awareness speech? Because it can save you a headache and save money to your company. However, an information security awareness program should be done for all people at all levels because everybody has access to information.
How do we know where we have to invest money? First, we have to know what information and assets we have to protect, what value it has into the business and what happens if it is disclosed or stolen. Therefore, a risk management process is mandatory to align security investments with the business.
Access Control Policy
Mechanisms for authentication and authorization should be taken into account in an access control policy because there will be people with different permission levels to different assets.
End-point Protection Measures
Today, barriers are not in the perimeter because information can be accessed with end-point devices like laptops and mobiles from Internet and this is a challenge for information security managers. As a result, end-point protection with antimalware solutions is a must.
Everyday we see new vulnerabilities but without penetration tests and vulnerability scans we won't know if it impacts to our systems. Don't you want know if you are vulnerable?
Path Management Process
Once you know which vulnerabilities you have to fix, it's time to plan how to fix them. Can they be fixed? All of them? When? How? If some of them can't be fixed, what measures and controls can be applied?
Log Monitoring Process
It is worthless to have a SIEM and many reports if we don't review it adequately. Log monitoring process is more than save logs, it is to analyze information and take actions accordingly.
Incident Response Process
New attacks and techniques to bypass security are known continually. Therefore, end users should be ready to detect and mitigate new threats.
Once the information is lost, it is lost, if we don't have tested backups, we are lost too. We should have to plan how to recover information, how much time we need to recover it and what information we are willing to lost.
As you'll have read, this can be seem ambitious but we should have to adapt it to our needs. This can be seen as an ISO 27001 summarized.
Regards my friend and remember, protect your assets, protect yourself!!