1

INFORMATION
SECURITY PLANNING
 Outline
2

 The Role of Planning

 Precursors to Planning
 Values Statement
 Vision Statement
 Mission Statement
 Strategic Planning
 Creating a Strategic Plan
 Planning Levels
 Planning and the CISO(Chief Info Security
Officer)
 Planning for Information Security
Implementation
 Pillars of information security
planning
3

Information
security
planning

Organizational Contingency
Planning Planning

Strategic Incident
planning response

Tactical planning Disaster

recovery

Operational
planning
 Organization Planning
4

 Planning: actions steps to

 Manage resources.
 Coordinate effort between the
organizational units to meet the objectives.
 Reduce waste and duplication in effort.

 Primary goal
 Detailed plan to meet the organization’s
objectives.
 Planning starts with generic and end with
specific.
 Precursors to Planning
5

 Mission Statement
 Vision Statement
 Values Statement
 The Mission Statement
6 Slide

A mission statement declares the 

business of the organization and its

intended areas of operations
The mission statement explains what the 

organization does and for whom

Random Widget Works, Inc. designs and 

manufactures quality widgets and

associated equipment and supplies for use
in modern business environments

Management of Information Security, 2nd ed. - Chapter 2

 Vision Statement
7 Slide

The vision statement expresses what the 

organization wants to become

Vision statements should be ambitious 

Random Widget Works will be the preferred 

manufacturer of choice for every business’s

widget equipment needs, with an RWW
widget in every machine they use

Management of Information Security, 2nd ed. - Chapter 2

 Values
8 Slide

By establishing organizational principles 

in a values statement, an organization

makes its conduct standards clear
RWW values commitment, honesty, 

integrity, and social responsibility among its

employees, and is committed to providing
its services in harmony with its corporate,
social, legal, and natural environments
The mission, vision, and values 

statements together provide the

foundation for planning
Management of Information Security, 2nd ed. - Chapter 2
 Microsoft’s
Mission and Values
9 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Pillars of information security
planning
10

Information
security
planning

Organizational Contingency
Planning Planning

Strategic Incident
planning response

Tactical planning Disaster

recovery

Operational
planning
 Components of
Organizational Planning:
11 Slide Strategy
Strategy is the basis for long-term 

direction
Strategic planning guides organizational 

efforts, and focuses resources on clearly

defined goals

strategic planning is a disciplined effort …“

to produce fundamental decisions and
actions that shape and guide what an
organization is, what it does, and why it
Management of Information Security, 2nd ed. - Chapter 2
”.does it, with a focus on the future
 Strategic Planning
12 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Planning for the
13 Slide
Organization
An organization develops a general 

strategy, and then it creates specific

strategic plans for major divisions
Each level of division translates those 

objectives into more specific objectives

for the level below
In order to execute this broad strategy, 

executives must define individual

managerial responsibilities

Management of Information Security, 2nd ed. - Chapter 2

 Strategic Planning
14 Slide

Strategic goals are then translated into 

tasks with specific, measurable,

achievable, reasonably high and time-
bound objectives (SMART)
Strategic planning then begins a 

transformation from general to specific

objectives

Management of Information Security, 2nd ed. - Chapter 2

 Planning for the
15 Slide
Organization

Management of Information Security, 2nd ed. - Chapter 2

 Planning Levels
16 Slide

Tactical Planning 

Has a shorter focus than strategic planning 

Usually one to three years 

Breaks applicable strategic goals into a 

series of incremental objectives

Management of Information Security, 2nd ed. - Chapter 2

 Planning Levels (continued)
17 Slide

 Operational Planning
 Used by managers and employees to
organize the ongoing, day-to-day
performance of tasks
 Includes clearly identified coordination
activities across department boundaries,
such as:
 Communications requirements
 Weekly meetings
 Summaries
 Progress reports

Management of Information Security, 2nd ed. - Chapter 2

 Typical Strategic Plan
18 Slide
Elements
Introduction by senior executive
Executive Summary 
Mission Statement and Vision Statement 
Organizational Profile and History 
Strategic Issues and Core Values 
Program Goals and Objectives 
Management/Operations Goals and 
Objectives
Appendices (optional) 
Strengths, weaknesses, opportunities and 
threats (SWOT) analyses, surveys, budgets,
Management of Information Security, 2nd ed. - Chapter 2
 Planning For Information
Security Implementation
19 Slide

The CIO and CISO play important roles in 

translating overall strategic planning into

tactical and operational information
security plans
The CISO plays a more active role in the 

development of the planning details than

does the CIO

Management of Information Security, 2nd ed. - Chapter 2

 CISO Job Description
20 Slide

Creates a strategic information security 

plan with a vision for the future of

information security at Company X
Understands the fundamental business 

activities performed by Company X, and

based on this understanding, suggests
appropriate information security
solutions that uniquely protect these
activities
Develops action plans, schedules, 

budgets, status reports, and other top

management communications intended
Management of Information Security, 2nd ed. - Chapter 2
 Planning for InfoSec
21 Slide

Once plan has been translated into IT 

and information security objectives, and

further translated into tactical and
operational plans, then information
security implementation can begin
Implementation of information security 

:can be accomplished in two ways

Bottom-up 

Top-down 

Management of Information Security, 2nd ed. - Chapter 2

 Approaches to Security
Implementation
22 Slide

Management of Information Security, 2nd ed. - Chapter 2

 The Systems Development
23 Slide
Life Cycle (SDLC)
An SDLC is a methodology for the design 

and implementation of an information

system
SDLC-based projects may be initiated by 

events or planned
At the end of each phase, a review 

occurs when reviewers determine if the

project should be continued,
discontinued, outsourced, or postponed

Management of Information Security, 2nd ed. - Chapter 2

 The Security Systems
Development Life Cycle
24 Slide (SecSDLC)
It may differ in several specifics, but the 

overall methodology is similar to the

SDLC
The SecSDLC process involves the 

identification of specific threats and the

risks that they represent, and the
subsequent design and implementation
of specific controls to counter those
threats and assist in the management of
the risk that those threats pose to the
Management of Information Security, 2nd ed. - Chapter 2 organization
 Phases of the SecSDLC
25 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Investigation in the
26 Slide
SecSDLC
Often begins as directive from 

management specifying the process,

outcomes, and goals of the project and
its budget
Frequently begins with the affirmation or 

creation of security policies

Teams assembled to analyze problems, 

define scope, specify goals, and identify

constraints
A feasibility analysis determines whether 

the
Management organization
of Information has2 the resources and
Security, 2nd ed. - Chapter
 Feasibility
27
 Phases of the SecSDLC
28 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Analysis in the SecSDLC
29 Slide

A preliminary analysis of existing 

security policies or programs is prepared

along with known threats and current
controls
Includes an analysis of relevant legal 

issues that could affect the design of the

security solution
Risk management begins in this stage 

Management of Information Security, 2nd ed. - Chapter 2

 Risk Management
30 Slide

The process of identifying, assessing, 

and evaluating the levels of risk facing

the organization, specifically the threats
to the information stored and processed
by the organization
To better understand the analysis phase 

of the SecSDLC, you should know

something about the kinds of threats
facing organizations
In this context, a threat is an object, 

person, or other entity that represents a

constant
Management of Information Security, danger
2nd ed. - Chapter 2 to an asset
 Key Terms
31 Slide

An attack is a deliberate act that 

exploits a vulnerability to achieve the

compromise of a controlled system
It is accomplished by a threat agent 

that damages or steals an organization’s

information or physical asset
An exploit is a technique or mechanism 

used to compromise a system

A vulnerability is an identified 

weakness of a controlled information

asset
Management of Information Security, 2nd ed. - Chapter 2
 Threats to Information
Slid
Security
32 e

Management of Information Security, 2nd ed. - Chapter 2

 Phases of the SecSDLC
33 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Design in the SecSDLC
34

 Logical design phase

 Create and develop a security blueprint
 Implement key policies
 Feasibility analysis – develop or outsource
 Physical design phase
 Evaluate technology to support security
blueprint
 Generate alternative solutions
 Agree on final design
 Phases of the SecSDLC
35 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Implementation in the
36 Slide
SecSDLC
The security solutions are acquired, 

tested, implemented, and tested again

Personnel issues are evaluated, and 

specific training and education programs

conducted
Perhaps the most important element of 

the implementation phase is the

:management of the project plan
Planning the project 

Supervising the tasks and action steps 

within the project

Management of Information Security, 2nd ed. - Chapter 2
 InfoSec Project Team
37 Slide

Should consist of individuals experienced 

in one or multiple technical and

:nontechnical areas including
The champion 

The team leader 

Security policy developers 

Risk assessment specialists 

Security professionals 

Systems administrators 

End users 
Management of Information Security, 2nd ed. - Chapter 2
 Staffing the InfoSec
38 Slide
Function
Each organization should examine the 

options for staffing of the information

security function
First, decide how to position and name the 
security function
Second, plan for the proper staffing of the 
information security function
Third, understand the impact of information 

security across every role in IT

Finally, integrate solid information security 

concepts into the personnel management

practices
Management of Information Security, of2 the organization
2nd ed. - Chapter
 InfoSec Professionals
39 Slide

It takes a wide range of professionals to 

support a diverse information security

program
Chief Information Officer (CIO) 

Chief Information Security Officer (CISO) 

Security Managers 

Security Technicians 

Data Owners 

Data Custodians 

Data Users 
Management of Information Security, 2nd ed. - Chapter 2
 Certifications
40 Slide

Many organizations seek professional 

certification so that they can more easily

identify the proficiency of job applicants
CISSP 

SSCP 

GIAC 

SCP 

+ Security 

CISM 

Management of Information Security, 2nd ed. - Chapter 2

 Phases of the SecSDLC
41 Slide

Management of Information Security, 2nd ed. - Chapter 2

 Maintenance in the
SecSDLC
 Maintenance models focus organization
effort on system maintenance
 External monitoring
 Internal monitoring
 Planning and risk assessment
 Vulnerability assessment and remediation
 Readiness and review

42
Management of Information Security, 2nd ed. - Chapter 1 42 Slide
43
Management of Information Security, 2nd ed. - Chapter 2 43 Slide
 Security Program
44 Slide
Management
Once an information security program is 

functional, it must be operated and

managed
In order to assist in the actual 

management of information security

programs, a formal management
standard can provide some insight into
the processes and procedures needed
This could be based on the 

BS7799/ISO17799 model or the NIST

Management of Information Security, 2nd ed. - Chapter 2
models
 Comparing the SDLC and
45 Slide
the SecSDLC

Management of Information Security, 2nd ed. - Chapter 2

 Comparing the SDLC and the SecSDLC
(continued)
46 Slide

Management of Information Security, 2nd ed. - Chapter 2