Build a Security Governance and Management Plan
Establish the missing bridge between security and the business to support tomorrow’s enterprise with minimal resources.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
Your Challenge
- As a CISO, you are worried you’re going to lose your budget because management doesn’t seem to buy into spending on security.
- The CEO thinks the security team is disposable because they don’t support business objectives.
- Even while trying to anticipate and mitigate risk, the organization is constantly in firefighter mode trying to fight attacks and breaches. There is constantly a need for more resources.
- The security team is not even sure exactly which compliance requirements apply to the organization and if they're meeting them. Each audit is a scramble.
- It is not known how the security team is performing.
- There is not enough direction from management to ensure business goals are supported because management doesn’t seem to be interested in the report on security.
Our Advice
Critical Insight
- Most organizations perceive security governance and management to be a large, time-consuming, and expensive endeavor.
- A customized program will provide results with a relatively low investment.
Impact and Result
- Achieve executive engagement in information security governance and management through the completed business case.
- Recognize and prioritize your current security governance and management challenges.
- Develop a security governance and management framework suitable for your needs at a minimal cost.
- Implement your security governance and management framework using our tips and the tools and templates provided.
Get the Complete Storyboard
See how all the steps you need to take come together, with tools and advice to help with each task on your list.
Download NowGet to Action
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build a security governance and management plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
-
Assess security requirements
Introduce security governance and management while documenting the overall goals and challenges.
-
Perform a gap analysis
Assess the current state and then determine the organizational target state.
-
Develop gap initiatives
Generate initiatives to reach the organizational target state.
-
Develop an implementation plan and implement based on best practices
Improve the organization’s security governance and management functions.
-
Build a Security Governance and Management Plan – Phase 4: Implement Gap Initiatives
-
Information Security Charter
-
Security Governance Organizational Structure
-
Information Security Risk Management Template
-
Information Security Compliance Template
-
ISO 27001:2013 Annex A Self-Check List
-
MSSP RFP Template
-
Employee Termination Process Checklist – IT Security Example
-
Information Security Incident Response Process Template
-
Backup Operating Procedures Template
-
Recovery Operating Procedures Template
-
eDiscovery Procedure for Legal Search
-
Security Service Catalog Template
-
DR Team Build Sheet
-
Information Security Awareness and Training Appropriateness Tool
-
Information Security Awareness and Training Content Development Tool
-
Security Metrics Assessment Tool
-
Security Governance and Management Communication Plan
-
Guided Implementation
This guided implementation is an eight call advisory process.
-
Call #1: Understand the value and challenges of security governance and management to create your business case.
-
Call #2: Define your risk tolerance and determine your security pressure posture.
-
Call #1: Perform a current state assessment of your capabilities and maturity levels.
-
Call #2: Establish the governance and management target state.
-
Call #1: Identify where there are existing gaps and where initiatives should be built.
-
Call #2: Prioritize the gaps based on resources and efforts to create an implementation timeline.
-
Call #1: Review and finalize the governance and management roadmap and action plan.
-
Call #2: Build out your governance and management deliverables.
Guided Implementation #1 - Assess security requirements
Guided Implementation #2 - Perform a gap analysis
Guided Implementation #3 - Develop gap initiatives
Guided Implementation #4 - Implement gap initiatives
Onsite Workshop
Module 1: Assess Security Requirements
The Purpose
- Demonstrate the value of implementing or improving security governance and management for the business.
- Define the risk tolerance of the organization.
- Objectively assess security pressure posture based on our list of comprehensive criteria.
- Provide a security posture description that business stakeholders can easily digest.
Key Benefits Achieved
- Understand the value of information security governance.
- Gain a better understanding of the organization’s risk tolerance and security pressure posture.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Define goals/objectives for the workshop. |
|
| 1.2 | Demonstrate the value and challenges of security governance and management. |
|
| 1.3 | Define the risk tolerance. |
|
| 1.4 | Define the security pressure posture. |
|
Module 2: Perform a Gap Analysis
The Purpose
- Define the current security capabilities and maturity of the governance and management.
- Develop a security target state based on the organization’s security risk profile and conduct a gap analysis.
Key Benefits Achieved
- Visualize the organization’s current security capabilities and maturity level.
- Build the foundation for determining your security target state by understanding the organization’s security needs and scope.
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Assess current security capabilities and performance. |
|
| 2.2 | Define security target state. |
|
Module 3: Develop Gap Initiatives
The Purpose
- Develop gap initiatives to reach your security governance and management target state.
- Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan.
Key Benefits Achieved
- Identified gap initiatives to augment the security program.
- Understanding of the resources needed to implement all the initiatives.
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Identify security gaps. |
|
| 3.2 | Build initiatives to bridge the gap. |
|
| 3.3 | Estimate the resources needed. |
|
| 3.4 | Prioritized gap initiatives. |
|
| 3.5 | Determine start time and accountability. |
|
Module 4: Implement Gap Initiatives
The Purpose
- Finalization and approval of the final roadmap and action plan.
- Development of various governance and management deliverables to lay the foundation in place.
- Development of effective metrics in order to measure the program.
Key Benefits Achieved
- Implementation timeline for the future.
- Governance and management deliverables to act as a starting point.
- Security metrics to implement.
| Activities: | Outputs: | |
|---|---|---|
| 4.1 | Finalize roadmap and action plan. |
|
| 4.2 | Build out governance and management deliverables. |
|
| 4.3 | Develop security metrics. |
|
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book NowSecurity Management Map
-
1Build a Security Awareness and Training Program
-
2Exploit Disruptive Security Trends for 2015
-
3Develop and Deploy Security Policies
-
4Build a Security Governance and Management Plan
-
5Hire or Develop a World-Class CISO
-
6Build an Information Security Strategy
-
7Optimize Security Operations without Overspending
-
8Develop and Implement a Security Incident Management Program
-
9Implement and Optimize an Effective Security Management Metrics Program
-
10Develop a Network Security Roadmap to Lower Incident Costs and Increase Efficiency
-
11Secure Critical Systems and Intellectual Property Against APT
-
12Ensure Cloud Security in IaaS and PaaS Environments
-
13Comply with the Security Requirements of HIPAA or SOX
-
14Defend Against Ransomware
-
15Develop a User Management Strategy
-
16Exploit Disruptive Security Trends in 2016
-
17Improve Information Security Practices in the Small Enterprise
-
18Manage Security Mitigation Effectiveness
-
19
Manage the Budget to Optimize Security Spending
-
20
Develop and Optimize Threat Intelligence on a Budget
-
21
Manage Security Outsourcing
Search Code: 74084
Published: February 3, 2014
Last Revised: September 21, 2015
2 Comments
Overall I think the process outlined is outstanding. I highly recommend it. One improvement I'd recommend turning parts of this into a web application or diagnostic. There are a bunch of instances where you edit an Excel sheet and then transfer that data to a different Excel sheet (gap analysis tool -> roadmap tool) or a Word doc (pressure posture tool -> business case document).
Thank you for your comment and your suggestion to turn parts of the process into a web tool. We're glad you found value in the research. We are actively looking at ways to web-enable the spreadsheets into a more interactive application/diagnostic.
If you’re interested in further information, we do have an online security benchmarking program, the Governance & Management Maturity Scorecard, although it does not completely match our Build a Security Governance and Management Plan blueprint at this moment.