Elements of a Good Infosec Program
Some are more advanced / comprehensive than others so keep that in mind.
I’ve been interviewing candidates lately helping clients fill information security leadership roles. Sometimes when I need to baseline the candidate, I’ll ask them to list for me all the elements of a good information security program, or variations thereof.
So here’s a quick list of elements of a good infosec program, in no particular order. Some are more advanced / comprehensive than others so keep that in mind.
Infosec Policies and Governance
Bug Bounty Program
SAST / DAST Checking
Incidence Response Plan (Calling this out outside of Policies above because it’s often missed. If you had nothing, I’d rather you had a good IR plan than a bunch of template policies no one has looked at. Want next level? Do some tabletop exercises. /rant )
Security Awareness Program
Email and Phishing Protection
Disaster Recovery Plan
Ok, there you go. It’s not a super comprehensive list, it’s 80% of it at least. Just a quick brain dump of items off the fly at 10pm at night!
Have an awesome week!