Tuesday Morning Grind, Ep 2 - Security Program Lifecycle Management
In this episode of Tuesday Morning Grind, we discuss risk3sixty’s approach to helping startups and high growth technology companies implement information security programs.
Security Program Lifecycle Management can seem daunting, especially when viewed through the lens of a massive framework like ISO 27001 or NIST Cybersecurity Framework.
But if you zoom out, implementing and managing an Information Security Program can be broken down into four high-level phases that can be repeated as needed within any organization.
The Information Security Program Lifecycle
Step 1: Scoping and Context The context of the organization and scope of the information security program need to be re-scope continually. Internal audits and risk assessments should be used to identify changes in the organization that would impact the scope and context of the program.
Step 2: Gap and Current State Assessment With the scope and context of the security program established, the organization should choose an appropriate framework to align to and perform a current state assessment (or gap assessment). The goal is to identify process and control gaps.
Step 3: Risk Assessment Risk Assessment activities consist of the body of work that helps the organization to monitor and identify risks to the security of the organization’s assets. Beyond a formal Risk Assessment, it may also include inputs from Business Impact Analysis (BIA), Penetration Tests, Vendor Risk Assessments, and more.
Step 4: Information Security Program Cadence Information Security program cadence consists of both the periodic meetings and re-occurring control activities required to ensure that information security does not become siloed, and critical governance functions and controls are operating effectively.