Photo of CISO discussing security as a process and reviewing information classification with team

“Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
— Lewis Carroll, Alice in Wonderland

Where to begin with information security?

At first glance, it is a multifaceted field, covered with tempting baubles and sharp thorns. As you probe a bit deeper, you find the framework upon which the whole field is suspended — that of governance.

The National Institute of Standards and Technology (NIST) describes information security governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. This requires both an understanding of and alignment with business strategy and requirements.

To bring about this alignment, the security strategy should be enacted “top down” from the boardroom. This begins with Information Security Policy.


Information Security Policy should state the security needs of an organization in non-technical business terms. These are the basic security needs of an organization. A good example is an acceptable use policy (AUP). An AUP clearly states how a user of a resource may (or may not) use that resource, but it does not delve into the specifics of use. It may broadly address risk areas. It is not a long list of “thou shalt not” but rather a set of rules for what is acceptable in a corporate sense.

For example, the SANS Institute’s AUP sample template includes:

Under no circumstances is an employee of this company authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing company-owned resources.

Note that this SANS example is broadly descriptive. There are no specifics. Policy may also state penalties for violation, usually non-specific disciplinary action, or dismissal.

Policies, in turn, become more specific when refined into processes.


While policies address the question of “Why?”, standards answer the question “What?”

What tools should be used? What products does an organization support? What security domain should be adopted? These are questions that are addressed in standards.

Another definition of a standard comes from James Lieb, founder of Right Strategy Solutions: “A standard translates policy into architecture .” Where an information classification policy would describe the need to describe and separate data, an information classification standard would describe into what containers the information would have to be divided, and how it must be decommissioned or destroyed.

A standard need not be static. Some standards include emerging, current, and declining technologies. How these standards are applied can be found in processes, the subject of the next week’s blog entry.

This is part 1 of a 3-part series.

1. The Secrets Behind Information Security Organization
2. What is SAAP? It is Security as a Process
3. Three Elements that Complete the Governance Pyramid

Photo of Garnet River Information and Cybersecurity practice lead Michael D Weisberg

Michael D. Weisberg, CISSP, CSM, is Vice President of Information Security and Assurance Services at Garnet River LLC and the Director of Cyber Security Programs at the School of Professional and Continuing Education at the Sage Colleges in Albany, NY. As an information security leader and subject matter expert, Michael has been a contract CISO for several organizations.

Subscribe to The River's Bend

The River's Bend is our monthly newsletter, featuring insights into what you should be looking for in business and technology before it can be you can prepare, act, and ultimately navigate a path forward.