Be Your Organization’s Security & Compliance Goalie
I recently wrote about how to get your company to commit to improving its security and compliance by starting at the top and getting top brass buy-in. But once you’ve got agreement that your organization wants everyone to participate in improving data security and compliance, how do you translate that to reasonable goals that every department can relate to? And how do you pick goals and metrics that align with the major standards you need to meet, such as HIPAA, FISMA, FIPS 140-2, PCI-DSS and Safe Harbor provisions?
Most of the research on improving security—and indeed, in any type of measurement-by-objectives program—says that for success, your goals need to be clear, attainable and measurable. But how do you know what individual department goals should be? And how do you figure out what to monitor, how to do it, and how often to measure effectiveness variables?
Luckily, you don’t have to reinvent the wheel. Courtesy of the SANS Institute, which provided much of this information, here are a few common types of security goals and evaluation criteria you can set up for different parts of your company, summarized in the following checklist.
Checklist: How to Measure Important Security Effectiveness Goals
It might seem a bit daunting to set up procedures, training and measurement criteria for your company and monitor how well you’re doing. But it is much easier to be proactive and enlist the support of all the employees in your company to take responsibility for their part in creating data security and compliance than it is to have to ask those same people to help with major damage control later— after the company’s reputation and data have been severely compromised. You can pay for security now, or you can pay a lot more later. It takes some consideration, resources and investment upfront, but the corporate payoff will be invaluable.