Posts RSS
Subscribe via Email
Build a Security Program
Posted March 23rd, 2007 by rybolov
I talk lots about building a security program. Like I tell my friends, put 3 squirrels up on a bench and I’ll give them a lecture about building viable security programs and what Certification and Accreditation really means, with some risk management thrown in there to fill it out.
Now while the people at NIST have created some fine guidelines on what a security program does (800-12 is rock-solid), there isn’t any good source on a staffing model. This is intentional–as soon as NIST makes an official stance on how to organize a security program, then the very next day I’m going to be asked by somebody if my staffing structure is “NIST-compliant”.
Inside the US Government, the organization should roughly be organized along these roles or areas of responsibility:
- CISO/ISSO/ISSM/Security PM
- Policy and Procedures
- Risk Management
- Certification, Accreditation, and Compliance
- Contingency Planning/Continuity of Operations/Disaster Recovery
- Awareness and Training
- Security Architecture
- Security Engineering
- Security Monitoring
- Incident Response
You can take these roles and staff them however you want. In other words, $one_role !== “one person”. You can combine, say, Risk Management and C&A into one group. Or you can put the architecture and engineering roles together. The key is to know what strengths your security program has and working around the weaknesses.
It’s approximately a 1-day exercise to sit down with this list and slice it up however you want. I can almost see an ISM-Community project on this, where we build a generic staffing template with responsibilities and recommended staffing levels for each of these roles, but I don’t have the time to get on it right now. If anybody desperately wants to do this as a project, please get in touch with me and I can give you a start.
Similar Posts:
Posted in FISMA, NIST, What Works | 
No Comments »