In the past weeks, we have looked at the importance of information security in Zimbabwean organisations and the basics of InfoSec Governance. With such a background we can now diversify into one of the vital components of information security; building an effective enterprise security program.
The information security program is a general framework made up of interlocking, interacting and overlapping blocks such as strategy, policies, standards, guidelines, procedures and architectural designs that drive the organisations security requirements inline with the organisations goals and strategy. It also brings structure and governance to the information security function within an organisation. This structure and governance allow the information security unit to function as a key element within the enterprise to support its business goals and decisions by providing information about the organisation’s information security capabilities in a business-friendly context.
Each organisation is different from another in terms of culture, goals and line of business. However, the elements that build a security framework are consistent across all business sectors. These elements are modular in nature, but depend upon one another for success. An effective information security program should include at least the following elements (Note: this is no an exhaustive list):
- Security Strategy goals and Program Governance
- Policies, Standards, Procedures, Guidelines and Principles
- Risk, Threat and Vulnerability Management program
- Security Roles and Responsibilities
What’s in it for Zimbabwean Organisations?
As a starting point of developing a program I would suggest that most organisations, business stakeholders and their ICT staff should follow the following generally accepted approach:
- Identify what they are trying to protect (Asset Inventory and Classification).
- Determine what they are trying to protect it from.
- Determine the likely risks and threats.
- Implement measures which will protect your assets in a cost-effective manner.
- Measure and review the process continuously and make improvements to the program
Developing a viable security program should not be a costly activity for most Zimbabwean organisations (looking at the current situation) especially that there are several frameworks that can be adopted as a baseline for building a security program. Some examples include ISO 27001, ISO 27002/05, SABSA, NIST etc. Organisations need to be careful when referring to these predefined frameworks though. These frameworks are based on organisations that already operate and effective security program. Therefore I would suggest that organisations should consider requirements that meet their business strategy and goals and leave out anything that does not fit or apply to their environment.
The main thing in it for Zim organisations is that they should have a security program in place or at least some of the basic building blocks to ensure that they are better protected from security threats, or data losses.
Quick NetOne, Telecel, Africom, And Econet Airtime Recharge
If anything goes wrong, chat with us using the chat feature at the bottom right of this screen