There are many good enterprise architecture frameworks one can follow. Here is a few you can consider during the planning process.
Security Program Development
Security documentation and the legal liability issues it brings to the table also need to me considered in the mix. It depends on the type of business, its goals, and culture. This will help you to focus on the right language to use and who is the audience for the documentation – Auditors, Government, Vendors, Customer’s?
Not all data or assets hold the same value. Information classification should be used to recognize and identify key assets. You should assign the asset a value and allocate funds to protect that assets be it data or hardware based on its assigned classification.
Information classification helps ensure data/hardware is protected in the most cost-effective manner. Moreover, it cost you money to acquire it, why not protect it. As you move forward in the classification process each should have separate handling requirements, and procedures as to how that data/hardware is accessed, used and destroyed.
The common levels of sensitivity from the highest to the lowest for commercial business:
• Confidential
• Private
• Sensitive
• Public
Security awareness training which is an administrative control can also emphasize enforcement measures. In addition, basic security awareness should not be a once a year thing, it should be an ongoing process in this day of the internet. If a company does not have security policies in place, the necessary countermeasures implemented, and security awareness training in place, it is not practicing due care – and opens you up for a lawsuit.
Information Security Governance is the responsibility of everyone, not only senior executives. Its an integral part of any IT governance framework. Whilst senior management and IT professionals will lead the process, it’s a task everyone within the organization should know about and understand, because each has a part to play. This document below is a good start.
ISO/IEC 27014 Guideline for information security governance