Build a Security Program

Posted March 23rd, 2007 by

I talk lots about building a security program.  Like I tell my friends, put 3 squirrels up on a bench and I’ll give them a lecture about building viable security programs and what Certification and Accreditation really means, with some risk management thrown in there to fill it out.

Now while the people at NIST have created some fine guidelines on  what a security program does (800-12 is rock-solid), there isn’t any good source on a staffing model.  This is intentional–as soon as NIST makes an official stance on how to organize a security program, then the very next day I’m going to be asked by somebody if my staffing structure is “NIST-compliant”.

Inside the US Government, the organization should  roughly be organized along these roles or areas of responsibility:

  • CISO/ISSO/ISSM/Security PM
  • Policy and Procedures
  • Risk Management
  • Certification, Accreditation, and Compliance
  • Contingency Planning/Continuity of Operations/Disaster Recovery
  • Awareness and Training
  • Security Architecture
  • Security Engineering
  • Security Monitoring
  • Incident Response

You can take these roles and staff them however you want.  In other words, $one_role !== “one person”.  You can combine, say, Risk Management and C&A into one group.  Or you can put the architecture and engineering roles together.  The key is to know what strengths your security program has and working around the weaknesses.

It’s approximately a 1-day exercise to sit down with this list and slice it up however you want.  I can almost see an ISM-Community project on this, where we build a generic staffing template with responsibilities and recommended staffing levels for each of these roles, but I don’t have the time to get on it right now.  If anybody desperately wants to do this as a project, please get in touch with me and I can give you a start.



Similar Posts:

Posted in FISMA, NIST, What Works | No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: