One of the biggest threats for organizations today is the threat of the unknown. For many IT departments and Security Teams, it is a constant battle to know your enemy and protect the organization’s assets from being stolen or corrupted. Not long ago, installing a firewall for the network and anti-virus on workstations was adequate protection. Times have changed, and building a security program requires planning, specifically a good balance of Strategic, Tactical and Operational planning.
Strategic planning is all about allocating the right resources to satisfy long-term goals and protecting the data that helps make your organization valuable. As Darren Dannen explains, “Strategic planning is an organization’s process of defining its strategy or direction and making decisions about allocating its resources to pursue this strategy.” The decisions come mostly from management and are the guiding principles for everyday decisions made throughout the organization. Things to consider would include: What is important to protect? What needs to be monitored? How would you respond to threats? And how do you determine if you need outside assistance?
With these decisions made, the next step is to address Tactical planning, or the implementation of your organization’s strategy. The key here is building a security operations structure that is clear and effective in helping identify and stop attacks. One of the most important aspects of Tactical planning is clearly defining the proper roles within management and your security teams to define the structure of the organization. For healthcare organizations, that means stating who the Security Officer is and outlining Emergency Response Teams to react during a breach or security incident. The next step in Tactical planning is addressing training and techniques. This is when your organization establishes administrative, technological, operational, and analytical procedures to support both immediate and long-term goals.
In support of Strategic and Tactical planning is Operational planning. These activities revolve around protecting information assets through everyday tasks. According to Darren Dannen, there are five basic functions to plan for:
- Vulnerability management
- Device management
- Threat Analysis
- Incident Response
Some key areas to address within these functions include patch management, vulnerability scanning, log, auditing, and risk mitigation. This planning process does not happen overnight and can require extra resources to get off the ground. If your organization needs assistance, contact RISC Management. Remember that the first step in establishing any security program is a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.
Sponsored by: RISC Management, www.RISCsecurity.com
Implementing Information Security in Healthcare: Building a Security Program