ABSTRACT
Whether an organization is building a security team
from scratch or it is assessing the strength and success of
its current team toward adding resources or functionality, a
common set of principles and process steps apply. The first
preliminary process is the gathering of information. For a
new security program or organization, this could be an
extensive effort. Information can be gathered by existing
staff or a consulting service. A business analyst or project
manager could potentially lead this effort or a security
practitioner or professional may do so. There may already
be an information library or website where information is
documented on policies, procedures, guidelines, business,
and technical goals and plans, etc. Another set of informa-
tion can be gathered through discussion, group meetings,
questionnaires, and interviews. The key is to identify key
stakeholders and subject area experts. Industry research
and benchmarking can also be helpful to help an organiza-
tion define its outcome and action and to support its deci-
sions and recommendations.