Back to newsletter
How to implement security planning across the organization
My team needs to come up with a plan to manage a security implementation and a way to best oversee the process once the security measures are in place. Does anyone have a real-life story of a security rollout, or do you have an example of how you improved security procedures within your organization? I'd like to hear your firsthand accounts as well as any advice you have on how to improve security procedures. -- J.S.
Plan, protect and respond
Readers sent in several responses that will help J.S. improve his security implementation and oversee the process. One reader describes the three areas of planning that matter most in any security implementation or oversight:
- Prevention planning reduces the risks caused by human error. Identify solutions, policies and procedures to reduce the risk of error and to address threats when they occur.
- Protection/procedure planning must be in place in the event of a security breach, to determine the resources staff will use to remedy the vulnerability.
- Response planning/restitution helps the organization mitigate and address the repercussions of a breach to minimize any business loss.
Other readers offer a number of ways to put your plans in place, protect valuable assets and respond to threats:
- Educate people to protect assets.
- Implement security planning across the organization.
- Protect critical applications.
- Consult the Building Security In Maturity Model (BSIMM).
Educate people to protect assets
Since people are usually one of the weakest links in security, management must educate them to take security seriously, John M. writes. He suggests that the organization undertake a security-training program that rewards good security management and penalizes policy breaches.
Complimentary White Paper
Application Security Intelligence Summit
This month's complimentary white paper is actually an invitation to listen to a complimentary Application Security Intelligence Summit hosted on HP Fortify's channel on BrightTalk.
Forward-thinking organizations have begun to adopt a holistic approach to securing applications rather than simply investing in perimeter defenses like firewalls and intrusion prevention systems. This Web summit offers a full day of webcasts featuring leading software security experts discussing the role of application security intelligence in enabling software security assurance programs to proactively reduce business risk across the enterprise. Speakers include Derek Brink, VP of Aberdeen Group; John South, CISO, Heartland; Dennis Hurst, founding member of the Cloud Security Alliance; Dave Wichers, board member of OWASP; and Fortify founder and CTO Roger Thornton.
Learn more ...
He also notes that since many people have access to data, the risk is great. He says, "From what I've seen, organizations need to make sure that people have access to what they need but not to more than they need. This means that you have to put in place the proper set of security controls to effectively manage user access."
Implement security planning across the organization.
John M. continues by saying that the next concern should be to integrate cybersecurity planning across the organization. All departments should know where their critical data is and put methods in place to manage identifying, prioritizing and protecting data.
He adds, "All actors must improve their communication across the board. Security is not only the concern of IT; everyone has a stake in the organization's security and must contribute to any security effort. Every sector of the enterprise should provide some leadership and oversight."
Protect critical applications.
Another reader sends in this suggestion: "Your organization needs to protect its most important applications across the entire development life cycle, from design to implementation and production. Ensure that critical capabilities are in place, such as centralized authentication, policy management, vulnerability scanning, intrusion prevention and detection. My list isn't complete, but you get the picture."
Consult the Building Security In Maturity Model (BSIMM).
Kunal P. suggests that BSIMM is an excellent model to use to plan for a software security initiative. He says, "BSIMM takes you through three comprehensive checkpoints -- strategy and metrics, compliance, and policy and training. Your team can't go wrong if you use BSIMM as a basis for your initiative."
As Kunal P. emphasizes, no matter which model you draw from, be sure to include policy and training for staff on the proper way to respond to various types of threats.
All of these responses point to the need to create an overall plan that incorporates broad protective measures, such as training and education, communication, buy-in from all departments, and oversight. J.S., we hope that with these suggestions your security implementation will go smoothly.