Successful information security program must add value to business. the value will be added only if the one responsible for implementing information security understand the business.
Successful information security program will protect the business core and will be linked to the business objectives.
To understand the business the following shall be done first
- Read and understand
- The business vision and mission
- The business strategy for the next 3 years or least the current year.
- Get a copy of the organizational chart with description of each department, business unit, sector etc
- Meet each one of the management team (i.e directors, executive managers, managers etc)
- Collect information about the core of the business, why the organization exists
- Develop org chart (if not exist) and list functions of each department
- Who are the stakeholders.
- Who are the decision makers.
- What incidents have been happened before and what was the damage of each.
- Know if any security concerns.
- Understand what regulatory or standards must comply with.
- Meet the Internal Audit department manager
- Collect previous audit report and identify issues related to security
- Help you understand the business
- Identify business priorities
- Identify major risks that require attention and mitigation