What should be there in an Information Security Program? The table below provides the primary elements of an Information Security Program and their components.The list of elements below is as been published in the NIST Publication 800-14. It provides an overview of the components of each element. This table can serve as a quick guide in reviewing an information security program.
Primary
Element
|
Components
|
Policy
|
Program policy, issue-specific policy,
system-specific policy
|
Program
Management
|
Central
security program, system-level program
|
Risk
Management
|
Risk assessment, risk mitigation,
uncertainty elements
|
Life-cycle
planning
|
Security
plan, initiation phase, development/acquisition phase, implementation phase,
operation/maintenance phase
|
Personnel/User
Issues
|
Staffing, user administration
|
Preparing
for Contingencies and Disasters
|
Business
plan, identify resources, develop scenarios, develop strategies, test and
revise plan
|
Computer
Security Incident Planning
|
Incident detection, reaction, recovery
and follow-up
|
Awareness
and Training
|
SETA
plans, awareness projects, and policy and procedure training
|
Security
Considerations in Computer Support and Operations
|
Help desk integration, defending
against social engineering, and improving system administration
|
Physical
and Environmental Security
|
Guards,
gates, locks and keys, and alarms
|
Identification
and Authentication
|
Identification, authentication,
passwords, advanced authentication
|
Logical
Access Control
|
Access
criteria, access control mechanisms
|
Audit
Trails
|
System logs, log review processes, and
log consolidation and management
|
Cryptography
|
TKI,
VPN, key management, and key recovery
|
Source: National Institute of Standards and Technology. Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST Publication 800-14.
