Let’s lay out some basic requirements for a security guide:
- The security guide must exist. It must be available, updated, and maintained.
- The security guide must incorporate relevant government and industry requirements.
- The security guide must be actionable. If it can’t be implemented it is useless.
- The security guide should be pro-active, describing what should be done, not what is forbidden. And, where applicable, how to do it.
- It should be possible to verify compliance with the security requirements through a system audit.
- The security guide should support the company mission.
This last item may strike you as a bit odd… Recall that the reason we have computer systems is to generate business value. The security guide should balance security risk against generation of business value. If a computer system can’t be used to generate business value, you might as well get rid of it. And, of course, the most secure system is one that doesn’t exist! (Just for the record, this is a joke…)
Ideally, the security guide is a tool to improve the operation of an organization, balancing protection needs against business needs, ease of use, and the threat profile a company actually faces.