So I saw this come across one of the mail lists I watch today:
"Hi All,
Can anyone provide the references on the internet for best practices for forming IT and Security Team Structure?"
And it stuck me as a good topic to go in to some depth on, and it's not nearly as easy to answer as you'd expect.
To take a step or three back...
Some questions and ideas to get your thoughts flowing.
What problem are you trying to solve?
What resources or support do you have?
What limitations or constraints do you have?
Also consider the scope of what you are trying to accomplish, and the requirements (if any) provided by your management or company for success (hopefully you can define these to more accurately match what you intend to create).
Let's work on each of these questions a bit.
What problem are you trying to solve?
This seems simple, but to be successful you need to phrase this in a way that identifies a need (preferably a business need) and how you intend to improve the systems, processes, or environment to correct or prevent "bad things" from happening. The best motivators for Risk Management or Security these days is compliance. No matter the industry, compliance (with laws, privacy regulations (usually state, or GLBA for financial, or HIPAA for health care) is a key risk. Another key concern from a business perspective is protecting the intellectual property that the company creates (and also protecting trade secrets).
Warning here - Many pure techies and or security folks will come up with a problem statement something like "deploy network monitoring" or "create incident management process" which are both good solutions to problems, but not problems.
What resources or support do you have?
Hopefully you can answer this one with "unlimited budget and unsewerving dedication to all things security by senior management". If not, make sure that you have established the need for a security program with your management, the expectation that there will be costs involved (capital and expense, and on-going maintenance and likely staffing costs).
What limitations or constraints do you have?
We all have them, and it's better to be aware of them and work them in to your plan than to have them surprise you. Maybe you have a specific time constraint (within the next three quarters, in the next year, or maybe one month). Maybe there is a cost limitation (you only have $1,000 and a roll of duct tape). Whatever your constraints are get them on paper and address them with ideas and work them in to your plan. If you have only a month, scale back your grand ideas and focus on gathering requirements or understanding the needs of the organization better. If you have a year, plan to establish basic level services, but maybe postpone the more complex parts until later, etc.
If you take the answers from these questions, and spend some time talking to the management of your company, and understanding that makes them tick you will be in a much better position to succed at any project (including establishing security program).
So for our next installment I will discuss a sample Information Security Service Catalog.
->Pierre
"Hi All,
Can anyone provide the references on the internet for best practices for forming IT and Security Team Structure?"
And it stuck me as a good topic to go in to some depth on, and it's not nearly as easy to answer as you'd expect.
To take a step or three back...
Some questions and ideas to get your thoughts flowing.
What problem are you trying to solve?
What resources or support do you have?
What limitations or constraints do you have?
Also consider the scope of what you are trying to accomplish, and the requirements (if any) provided by your management or company for success (hopefully you can define these to more accurately match what you intend to create).
Let's work on each of these questions a bit.
What problem are you trying to solve?
This seems simple, but to be successful you need to phrase this in a way that identifies a need (preferably a business need) and how you intend to improve the systems, processes, or environment to correct or prevent "bad things" from happening. The best motivators for Risk Management or Security these days is compliance. No matter the industry, compliance (with laws, privacy regulations (usually state, or GLBA for financial, or HIPAA for health care) is a key risk. Another key concern from a business perspective is protecting the intellectual property that the company creates (and also protecting trade secrets).
Warning here - Many pure techies and or security folks will come up with a problem statement something like "deploy network monitoring" or "create incident management process" which are both good solutions to problems, but not problems.
What resources or support do you have?
Hopefully you can answer this one with "unlimited budget and unsewerving dedication to all things security by senior management". If not, make sure that you have established the need for a security program with your management, the expectation that there will be costs involved (capital and expense, and on-going maintenance and likely staffing costs).
What limitations or constraints do you have?
We all have them, and it's better to be aware of them and work them in to your plan than to have them surprise you. Maybe you have a specific time constraint (within the next three quarters, in the next year, or maybe one month). Maybe there is a cost limitation (you only have $1,000 and a roll of duct tape). Whatever your constraints are get them on paper and address them with ideas and work them in to your plan. If you have only a month, scale back your grand ideas and focus on gathering requirements or understanding the needs of the organization better. If you have a year, plan to establish basic level services, but maybe postpone the more complex parts until later, etc.
If you take the answers from these questions, and spend some time talking to the management of your company, and understanding that makes them tick you will be in a much better position to succed at any project (including establishing security program).
So for our next installment I will discuss a sample Information Security Service Catalog.
->Pierre
Comments