100 Security Program Pitfalls and Prescriptions to Avoid Them – Introduction
Blog posts will be published for various sections of this book. Today’s post contains the introduction to this book.
An effective Security Program is critical and necessary for organizations to successfully achieve compliance with internal controls, regulatory controls, as well as contractual requirements with customers or consumers. Once compliance with these requirements is achieved, maintaining compliance becomes the goal for the organization. There are many reasons a Security Program may come up short, or fail entirely, resulting in a negative impact on an organization’s security and compliance posture, reputation, customer contracts, as well as corporate citizenship. In this book, several Security Program pitfalls have been aggregated along with recommendations and strategies to avoid them.
Security control requirements, pitfalls, recommendations, and the strategies necessary for implementing a successful Security Program have been divided into 14 control families:
1. Security Program Planning
2. Risk Management
3. Personnel Security
4. Asset Management
5. Access Control
6. Physical Security
7, Operations Security
8. Communications Security
9. Systems Management
10. Third-Party Due Diligence
11. Incident Response
12. Business Continuity
13. Data Privacy
Different control frameworks (e.g., NIST/FISMA, CMMC, PCI, FFIEC, GDPR, CCPA, ISO/IEC, HIPPA/HITECH/HITRUST, etc.) present controls under different control families, or groups of controls. Drawing on knowledge from nearly 30 years of experience dealing with various, evolving, and new control frameworks, alongside the regulatory requirements that accompany these frameworks, this book is intended to represent all generally applicable controls, as well as best practices that have been consolidated down to these fourteen control families.
It is widely acknowledged that Security Program control requirements are different for different organizations. This book is intended to present information that is valuable to all organizations, all managers or supervisors, all security professionals, and even security newcomers of the most common pitfalls that have been experienced by most, if not all, organizations at some point.
Recommendations, strategies, and professional tips that have been implemented to successfully build a new Security Program or make improvements to an existing Security Program are addressed. This information will help take your Security Program to the next level; enabling your organization to protect information assets as well as achieve and maintain compliance with internal requirements, regulatory requirements, and contractual requirements with your customers.
Some of the content contained in this book may be brand new, other content may be very familiar. It is also anticipated that some the content will be presented with a different approach than you may have previously considered. The end goal is to find the right balance of controls that is appropriate for maintaining an effective Security Program for your organization while supporting daily business operations in an efficient manner. Finding the appropriate balance between security and operations is key.
No organization should implement security controls in order to pass an audit, exam, or assessment. Your organization should pass audits, exams, or assessments because of the controls that have been implemented to support, manage, and continuously improve an effective Security Program for your organization. This book is intended to provide important information as well as lessons learned to support that goal for all organizations.
This book contains a vast amount of information. The intent is not to overwhelm, but to provide a recommended strategy for success, along with key principles to aid in Security Program management. No organization is going to address every security control in a week, a month, or perhaps not even in six months. Continuous management along with making incremental improvements are of paramount importance. The intent of the information contained in this book is to help guide organizations in making their Ascent.