Below we have identified some of the major components within a security program. It is important to note that all of these components, whether taken from our methodology for security program development presented in our first book, or research since that time, or the existing security frameworks that are available (e.g. ISO27001-2, NIST) will always identify components in the same manner using different names.
Here is a listing of each category, with a quick description:
• Security Program Strategy
- The means by which your security organization will achieve its overall mission.
• Mission & Mandate - The goal of the security office as well as its associated level of authority to reach that goal.
• Roles & Responsibilities – The identification and definition of each position on the security office team and its individual role for providing security to the organization.
• Security Policies - The documented and ratified rules by which the security office applies security to the organization. In most methodologies, they represent the ideal security state of the organization; a benchmark from which to measure everything.
• Security Risk Project Portfolio - The mechanism by which your security organization approaches the prioritization and execution of its responsibilities based on risk.
• Training & Awareness - The strategy and tactics for educating personnel and making them aware of security concepts.