Security strategy refers to the overall plan to effectively identify and manage risks. Why a Security Strategy? Security strategy provides a roadmap to management for effective management of its risks. It is a systematic approach to proactively anticipating a risk occurrence and implementing appropriate counter measures to effectively mitigate the risk. What is Risk? Risk is the probability of occurrence of an uncertain event that could have a negative impact on the business. An information security strategy requires: a. A definition of organizations information security goals to successfully support its specific business operations, financial, strategic and compliance objectives. b. An evaluation of the organizations business environment to identify internal and external risk factors that may negatively impact its business success. c. A compilation of the organizations entire risk universe and analysis to identify those with the highest impact or rather identify areas of highest risk exposures. d. A consideration of alternative best practice risk management approaches for the high risk areas. e. An evaluation of existing practices to determine control activities gap. f. An implementation of benchmark controls to effectively remediate or mitigate risks. g. Periodic reviews to ensure continuous effectiveness of controls. h. Timely remediation and re-evaluation of identified control weaknesses. i. Setting metrics for evaluating continuous effectiveness of control actions. In order to ensure appropriate coverage of the above requirements, an information security strategy must integrate all existing business practices operational, financial, personnel, technological, strategic and statutory requirements in order to ensure their effective optimization of processes and results towards the success of the organizations overall business objectives. Following is a suggested roadmap summarized into nine phases as a guide to the successful development of an information security strategy. The Nine Steps Roadmap 1. Plan and Scope 2. Perform Risk Assessment 3. Identify Significant Accounts and Controls 4. Document Controls Design 5. Evaluate Controls Design Salman Akorede 1

6. Evaluate Operational Effectiveness 7. Identify and Remediate Deficiencies 8. Document Processes and Results 9. Build Sustainability To ensure the success of an information security strategy, respective organizations must effectively identify, characterize, establish ownership, analyze and continuously manage its risks to meet its specific needs on an ongoing basis. Salman Akorede is an information risk management consultant. ,

Salman Akorede