Your business is unique and your program should be too. Make the most of your unique business assets and the similarity of the controls in your chosen framework (see previous posts) to build a program that meets your business objectives and needs.
Following is one example of a program overview; consider these areas for your plan:
Governance includes defining policy and procedures and ensuring the organizational structure is in place—including executive sponsorship. This is the planning phase and each plan will incorporated into each of the different areas of the framework.
Asset management goes back to your scope and asset inventory. This full discipline ensures all areas of the company have been identified.
Risk management is of course assigning a risk to each of the asset categories.
Building security in means you start from the beginning to build security in to the systems acquisition and development process, into training, and into your physical and environmental security requirements. Building security into all aspects of the business is more cost efficient than bolting security on.
Secure operations and maintenance is the day-to-day running of the systems that you have built or contracted for.
Continuous monitoring and assessment includes monitoring activity of people in their roles, the systems in their performance, and the performance against the goals or KPIs that were set in the governance areas.
Incident management is a separate discipline that ensures that when bad things happen, you’re ready to respond. In times like these, your incident management team can mean the difference between the company surviving or not.
Continuity management is the area that is responsible for keeping the lights on in the event of any type of business outage. This team works very closely with the incident management team at time of event.