Implementing an Effective IT Security Program

The purpose of this paper is to take the wide variety of US federal laws, regulations, and guidance combined with industry best practices and define the essential elements of an effective IT security program. The task may seem impossible given the thousands of pages of security documentation published by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), the National Security Agency (NSA), and the General Accounting Office (GAO), just to name a few. However, this paper will highlight important elements in a short, easy to read guide to give the reader a good basis on how to implement an effective security program. The five critical elements of a security program according to GAO Federal Information Systems Control Manual (FISCAM) are the following: 1. Periodically Assess Risk 2. Document an entity-wide security program plan 3. Establish a security management structure and clearly assign security responsibilities 4. Implement effective security-related personnel policies 5. Monitor the security program's effectiveness and make changes as necessary. This paper will use this framework as the overall structure and integrate further detail from NIST, OMB, NSA and others to clarify these areas.