Data Flow Assessment and Drafting of the Written Information Security Program

The first step in developing an information security program is assessment. Assessing and then drafting a written program for data privacy management is a huge task but is only the beginning of the journey towards information security for an enterprise. To follow are the general steps, or as I call them, phases, that I go through in order to begin the journey.

Phase I: Define Timetable, Discuss Participants and Communicate Expectations
In the first meeting, I would spend to develop a more detailed understanding of scheduling and timetable for the tasks necessary for completion, a discussion of the personnel that it will be necessary to meet with and a discussion of the access and communication expectations.

Phase 2: Assessment
During phase two, we gather detailed information from the organization’s personnel about the current data flow, data security, business needs and uses of the data, access to physical and digital information and analysis of data in transit. This includes initial interviews, some of which can be handled by telephone, questionnaires and time spent following up with telephone calls and email correspondence.

Phase 3: Data Compilation & Analysis
During this phase, we review the collective research from phase 2 in preparation for the drafting of the WISP.

Phase 4: Additional Assessment Requirements
After analysis and compilation of the data collected during Phase 3, it will be determined if additional consultants are necessary for assessment of data encryption and data security from a technical IT perspective. If necessary, consultants will be sought and recommended by MLO and engaged by your organization for this assessment.

If internal IT or IT consultants have been involved from the beginning of the process, their assessment phase would be concurrent with ours and the data is compiled.

Phase 5: Drafting the WISP
Based on the assessment and the data analysis, we then prepare an initial draft of a comprehensive written information security program which is (1) compliant with all relevant laws and regulations, and (2) strategically feasible from the standpoint of the mission and business frameworks of the organization.

Phase 6: Presentation and Discussion of the Draft WISP
The WISP, after review by key staff, will be discussed in detail for refinement and amendment as necessary.

Phase 7: Refinement of WISP
At this stage, we continue to refine the WISP in response to feedback obtained at the presentation and discussion meeting and will include additional follow-up drafts and communication as necessary to finalize the WISP.

Phase 8: Presentation to Decision-makers at Adoption Meeting
In order to begin the training and implementation process and to properly adopt the new policies on a corporate level, we then present the WISP at a meeting of executives, board members or others having final decision-making authority for the adoption of the WISP.

Phase 9: Implementation Planning
This phase is the transitional phase into the next module. The WISP, in order to be effective (and in most cases minimally compliant with most relevant regulations) will need to be implemented, monitored and the employees will need to be trained. Training and implementation strategies, including the investment in and launching of new or updated technology solutions, are devised and a matrix of tasks relative to the implementation is drafted.

Depending on the size and complexity of the organization, these tasks may have to be adjusted. This process, if ambitiously pursued, can take anywhere from 60 days to a full year.

This is how I approach the development of an enterprise-wide information security program. Do you do it differently?

Popularity: 24% [?]

Related posts:

1. Developing a written information security program – Module 2 Implementation of the WISP and Employee compliance training: In the last...
2. Developing a written information security program Okay, so maybe your organization is not a Covered Entity under HIPAA,...
3. NE: Security breach compromises information on 1,400 students A security breach discovered last month at the University of Nebraska involved...
4. Ernst and Young Survey: Data protection, information security are firms’ top priorities Data protection and information security risk management are top priorities for companies...
5. European Network and Information Security Agency (ENISA) Issues Cloud Computing Guidance The European Network and Information Security Agency (ENISA) has just published a...
6. New Massachusetts Regulations: “Data security breach is not a question of if, it’s a question of when” I had the pleasure yesterday to attend a small-format seminar hosted by...