Seven Simple Rules
Explaining the role and importance of Information Security in the organization, especially to management, can be a difficult task. I have lost count of the number of times in my career where, ten or fifteen minutes into a presentation on IS, I have looked up to find one half of my audience asleep and the other half clueless. As a result, I often rely on the following seven simple objectives and explain that, if you can answer “yes” to each of these rules at the end of the day, then you have succeeded in creating a solid information security organization:
From a goal or objective setting standpoint, these rules provide a good starting point. They may not provide a perfect control environment, but they will certainly cover all the substantial risk areas.
The primary weakness of these rules is that they define an end state, they do not tell you how to get there. We need something more, a framework that defines how we structure an information security program, where we focus our resources and how we organize the overall activities.
©2009 ISRMC, LLC