2. Key Components of a
Security Program
Security Governance
Policies & Procedures
Security Project & Program Management
Gap Remediation Management & Advisory
Enterprise Risk Management, Vendor Security
Internal & External Audit Management
Interaction with external stakeholders (Customers. Vendors etc.)
Security Engineering
Code & Platform Security
SSDLC, Coding Standards, Pen Testing
IT & Network Security Architecture
Security Operations
Security Incident Management
Patch & Vulnerability Management
Business Continuity and Disaster Recovery
3. First 30 days
Interviews with key stakeholders (e.g. IT, Operations, Legal etc.) to discover
burning issues, key business initiatives and applicable compliance
frameworks e.g. PCI, SOX etc.
Establish security baseline by performing a Gap Assessment with a focus on
preventive controls
Inventory all functions, applications, processes and assets. Identify owners
for all applications.
Identify and update if required key architecture diagrams for the
production stack of all business functions and internal corporate network.
Ensure that all critical data is being backed up and all backend jobs and
maintenance scripts including back up scripts are inventoried and
scheduled appropriately.
Start remediation of key preventive controls if found missing e.g. two factor
authentication to the production environment, closing all unnecessary
ports and protocols at the perimeter (for both ingress and egress) etc.
4. 3 Months
Develop a one year information security roadmap, remediation
plan & budget. Prioritize remediation based on
Criticality and impact
In scope regulatory compliance frameworks
Start remediation on key processes e.g. access management,
change management and release management
Start remediation on key engineering gaps e.g. logging
infrastructure, static and dynamic code analysis
Assess the security incident management process and ensure
people, process and technology components are in place to
support incident management.
Operationalize missing security controls and develop a “controls
calendar” with frequency and evidence requirements to ensure
evidence is being collected wherever required on a timely basis.
Create or redesign base security and operations processes e.g.
BCP/DR
5. 1 year
Meet regulatory compliance requirements e.g. PCI, SOX by
passing successful audits from an independent third party
auditor.
Ensure all security controls at the system, network, endpoint,
application, data and user level are well designed and
operating effectively.
Continuous Improvement - Develop key security metrics for
reporting and continuous improvement purposes. Establish a
Information Security Steering Committee to ensure security
activities are aligned with business.
Decentralize Security by embedding security resources within
business functions.
Ensure that the organization can respond to emerging threats
by detecting and responding to them in a time sensitive
fashion.