The document outlines a 30 day, 6 month, and 1 year plan for developing a comprehensive security program. The 30 day plan includes establishing a security baseline, inventorying assets and backups, and remediating preventive controls. Within 3 months, a roadmap and budget will be developed and key processes and engineering gaps addressed. By 1 year, regulatory compliance will be achieved through audits, all security controls will be designed and operational, and security will be embedded within business functions.

1. Security & Compliance
30 day - 6 month - 1year Plan

2. Key Components of a
Security Program
 Security Governance
 Policies & Procedures
 Security Project & Program Management
 Gap Remediation Management & Advisory
 Enterprise Risk Management, Vendor Security
 Internal & External Audit Management
 Interaction with external stakeholders (Customers. Vendors etc.)
 Security Engineering
 Code & Platform Security
 SSDLC, Coding Standards, Pen Testing
 IT & Network Security Architecture
 Security Operations
 Security Incident Management
 Patch & Vulnerability Management
 Business Continuity and Disaster Recovery

3. First 30 days
 Interviews with key stakeholders (e.g. IT, Operations, Legal etc.) to discover
burning issues, key business initiatives and applicable compliance
frameworks e.g. PCI, SOX etc.
 Establish security baseline by performing a Gap Assessment with a focus on
preventive controls
 Inventory all functions, applications, processes and assets. Identify owners
for all applications.
 Identify and update if required key architecture diagrams for the
production stack of all business functions and internal corporate network.
 Ensure that all critical data is being backed up and all backend jobs and
maintenance scripts including back up scripts are inventoried and
scheduled appropriately.
 Start remediation of key preventive controls if found missing e.g. two factor
authentication to the production environment, closing all unnecessary
ports and protocols at the perimeter (for both ingress and egress) etc.

4. 3 Months
 Develop a one year information security roadmap, remediation
plan & budget. Prioritize remediation based on
 Criticality and impact
 In scope regulatory compliance frameworks
 Start remediation on key processes e.g. access management,
change management and release management
 Start remediation on key engineering gaps e.g. logging
infrastructure, static and dynamic code analysis
 Assess the security incident management process and ensure
people, process and technology components are in place to
support incident management.
 Operationalize missing security controls and develop a “controls
calendar” with frequency and evidence requirements to ensure
evidence is being collected wherever required on a timely basis.
 Create or redesign base security and operations processes e.g.
BCP/DR

5. 1 year
 Meet regulatory compliance requirements e.g. PCI, SOX by
passing successful audits from an independent third party
auditor.
 Ensure all security controls at the system, network, endpoint,
application, data and user level are well designed and
operating effectively.
 Continuous Improvement - Develop key security metrics for
reporting and continuous improvement purposes. Establish a
Information Security Steering Committee to ensure security
activities are aligned with business.
 Decentralize Security by embedding security resources within
business functions.
 Ensure that the organization can respond to emerging threats
by detecting and responding to them in a time sensitive
fashion.