An information security program exists to protect the information of an enterprise.
An effective program contains appropriate policies, standards, and procedures that support its mission. There is a fine balance between protecting information and making it accessible, on the other hand, to the authorized users. It is necessary, therefore, to design an InfoSec program with the participation of all the stakeholders, namely, different levels of management, different departmental user groups, and the IT department.
The task of developing an effective InfoSec program is relatively easier since two major international organizations, the National Institute of Standards and Technology (NIST) and the International Organization of Standards (ISO), codified standards for information security.
The original NIST publication on the subject is entitled “An Introduction to Computer Security: The NIST Handbook.” The ISO codified the subject under ISO 17799, which, incidentally was adapted from British Standards (BS 7799). More recently, the ISO renamed ISO 17799 to ISO 27002.
I have the subject outline below in mind. On the other hand, the first article will only cover the first topic, Introduction to Information Security (InfoSec). Click here for the first article.
- Introduction to Information Security (InfoSec)
- Writing Guidelines
- Development of the InfoSec Policy
- Organizational Standards of InfoSec
- Classification of Information
- Raising organizational awareness of InfoSec