You are the CISO for a global company. After studying the mission vision, strategic goals, the corporate strategy, and business and security requirements, you start to develop the information security strategy. Which of the following should you conduct first?
A. Determine the blueprint and milestones
B. Conduct gap analysis
C. Consider resources and constraints
D. Develop an information security program policy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Conduct gap analysis.

Strategy Management

Strategy Development

1. Determine the Desired State
2. Determine the Current State
3. Conduct gap analysis
4. Determine the blueprint and milestones
5. Consider resources and constraints

Strategy Implementation

• Develop an information security program policy
• Implement the information security program

Types of Information Security Policy

Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Program policy

Program policy is used to create an organization’s information security program. Program policies set the strategic direction for security and assign resources for its implementation within the organization. A management official—typically the SISO—issues program policy to establish or restructure the organization’s information security program.

This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities.

Source: NIST SP 800-12 R1

Issue-specific policy

Based on the guidance from the information security policy, issue-specific policies are developed to address areas of current relevance and concern to an organization. The intent is to provide specific guidance and instructions on proper usage of systems to employees within the organization. An issue-specific policy is meant for every technology the organization uses and is written in such a way that it will be clear to users. Unlike program policies, issue-specific policies must be reviewed on a regular basis due to frequent technological changes in an organization.

Source: NIST SP 800-12 R1

System-Specific Policy

Program and issue-specific policies are broad, high-level policies written to encompass the entire organization where system-specific policies provide information and direction on what actions are permitted on a particular system. These policies are similar to issue-specific policies in that they relate to specific technologies throughout the organization. However, system-specific policies dictate the appropriate security configurations to the personnel responsible for implementing the required security controls in order to meet the organization’s information security needs.

Source: NIST SP 800-12 R1

Categories of Information Security Policies

In addition to these focused types of security policies, there are three overall categories of security policies: regulatory, advisory, and informative.

• A regulatory policy is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance.
• An advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management’s desires for security and compliance within an organization. Most policies are advisory.
• An informative policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. An informative policy provides support, research, or background information relevant to the specific elements of the overall policy.

Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.

David’s Model of Strategic Management’s Process