Burns, Chief Information Security Officer, Draper Labs: To best help you get a sense of what an enterprise security program really is and provide you with some key takeaways in developing and implementing one, I’ve pulled in the experts to provide you with their thoughts. What? Again, all true, but what does that really mean? According to NIST, an information security program is a “formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.” NIST also recommends that you implement an incident response plan-“a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organization’s information systems.” The NIST then points out in its framework for improving critical infrastructure cybersecurity that there's no one-size-fits-all approach to managing cybersecurity risk. To help clear things up, let’s look at what the National Institute of Standards and Technology (NIST) has to say. Okay, all true, but what does that really mean? Whether you’re at a cybersecurity conference, participating in a webinar, or reading an article like this one, you are often bombarded with these catchy sayings regarding enterprise security: “It’s a team sport” “It’s about tech, people, and process” or “It’s not a tech issue, but a business issue.” Then you are told that you need a compliant information security program, along with an incident response plan, that is certifiable to any one of the NIST, COBIT, ISO, or other popular frameworks, so you can avoid the wrath of the regulators. Kevin Powers, Founding Director, Boston College
0 kommentar(er)
