Security Baseline - Part I - ISM4Startups

As I mentioned in - Scenario, Role Identification & Access - todays post will about a Security Baseline. 

Having a proper security baseline is important. This document will contain your requirements and critical enterprise services.

So lets start straight away! 

Plan & Organize

Define a strategic IT plan-define the information architecture.
Identify information and services critical to the enterprise and consider their security requirements.

1. Based on a Business Impact Analyses for critical business processes, identify: 

  • Data that must not be misused or lost
  • Services that must be available
  • Transaction that must be trusted (to be authentic and have integrity)

Consider the security requirements:

  • Who may access and modify data?
  • What data retention and backup are needed?
  • What availability is required?
  • What authorization and verification are needed for electronic transactions?

Define the IT organization and relationships
Define and communicate IT security responsibilities

2. Define specific responsibilities for the management of security and

  • Ensure that they are assigned, communicated and properly understood
  • Beware of the dangers of concentrating too many security responsibilities and roles in 1 person. 
  • Provide the resources required to exercise responsibilities effectively

Communicate management aims and directions
Appropriately define  and circulate management aims and directions with respect to IT and security. 

3. Consistently communicate and regularly discuss the basic rules of implementing security requirements and responding to security incidents. Establish minimum “dos and do nots” and regularly remind people of security risks and their personal responsibilities. 

Manage Human Resources
Ensure functions are staffed properly by the right people who posses the necessary skills to fulfill responsibilities, including security. 

4. When hiring, verify with reference checks
5. Obtain through hiring or training the skills needed to support the enterprise security requirements. Verify annually whether skills and qualifications are still up-to-date, and act accordingly. 
6. Ensure that no key security task is critically dependent upon a single resource. Train the proper people and share knowledge. 

Ensure compliance with external requirements 
Ensure that IT- and security functions comply with applicable laws, regulations and external requirements (such as industry standards).

7. Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements. Encourage staff to understand and be responsive to these security obligations.

Assess Risks
Discover, prioritize and either contain or accept relevant security/IT-security risks.

8. At appropriate  times discuss with key staff what can go wrong with enterprise-, IT- or physical security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical to the success of the business. Prepare risk management action plan(s) to address the most significant risks. 
9. Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices (e.g. effective backup, basic access control, virus protection, firewalls, network segregation etc.) and insurance coverage. 

Next we will be talking acquiring, implementing and support & delivery. Support & Delivery is a big subject and so that is what most of that post will be about. 

Please let me know if you have any tips, suggestions or topics. Leave a comment below.