Information Security Programs

Somebody asked me today what I would consider the top things to include in an Information Security Program.

The first thing that comes to mind is a well documented, highly visible IT Security policy. I believe that the IT Security policy is the foundation of a good ISMS and helps in recruiting and maintaining the appropriate level of visibility at the executive level. Along with that comes a strong representation of IT security within the business at board level. From a practical standpoint having a good information security policy is followed by having the appropriate technical support in place to ensure that the business can perform its functions. 

Having policies and technical controls in place such as:

·     Consolidated and global:

• Anti-Virus management
• Anti-Malware management
• Desktop patching
• Server patching
• IDS/IPS/ Firewall deployment with consolidated logging
• Secure email, fax and printing
• Data stream encryption, file encryption/full disk encryption
• User training, personnel vetting
• User rights controls, separation of duties controls, and data classification to assist in IP control