Similarly, for a large organization with a number of subsidiaries, the security blueprint process will examine each different business unit, along with the parent company, to determine the strengths of each subsidiary. Rather than the parent company investing and bolstering each area to one level, they can borrow and implement programs from its subsidiaries. This allows executives to take what exists and leverage it across the board, rather than investing in designing a program.

Conclusion

A security blueprint gives an organization a good understanding of the breadth of information security capabilities that should exist within the organization. It also allows the executive team to visualize and measure an overall information security program, greatly simplifying the overall equation in managing security.


By following seven simple steps that address the strategic view, the operational view, and the technology view, executives, security practitioners and business stakeholders can evaluate overall capabilities and align their security program portfolio with the risk expectations of their business.