Describe three steps required for an organization to develop and information-centric security strategy

What will be an ideal response?

Any combination of the following.
1. Create and communicate an enterprise software security framework: The roles, functions, responsibilities, operating procedures, and metrics to deal with security threats and attacks must be clearly defined and communicated to all involved staffs.
2. Knowledge management training: To create a culture for enforcing IT security, an organization should improve the security knowledge of its IT staff and community of users: security policy, standards, design and attack patterns, threat models, etc.
3. Secure the information infrastructure: Along the IT-enabled business process or workflow, security checks using external programs should be identified to allow for monitoring and controls.
4. Assure internal security policy and external regulator compliance: The organization should make sure that, based on IT risk assessment, security requirements are translated into features of the software design to resist attack.
5. Governance: In any project that involves security, security experts must be called upon to participate in the design and implementation process of the system development or maintenance. Proper procedures should be clearly defined before any security breach occurs.