Strategy and Planning - Optimizing Risk. Optimizing Resources.

The goal of an information security strategy is to mitigate risks by complying with legal, statutory, contractual, and internally developed requirements, and to do so at a cost that is commensurate with the value of reducing those risks. Typical steps to building a strategy include the definition of business objectives and assets, the conducting one or more risk assessments to identify control gaps, the identification and selection of controls, the development of benchmarks and metrics, and the preparation of implementation and testing plans.

Every company encompasses a unique set of objectives, business and operational realities, and a specific cultural context. Developing a security strategy is dependent upon an understanding of these factors. Information security is most successful when the tenants of "best practice" are tailored to the organization.

The identification and selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the potential gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology design; (3) resource dedication; (4) training; and (5) testing.

For example, an institution’s management may be assessing the proper strategic approach to the security monitoring of activities for an Internet environment. Two potential approaches are identified for evaluation. The first approach uses a combination of network and host sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.
Information Security Strategy and PlanningProgram Assessment
Other Services: