Your Information Security Program
Introduction and Overview
This article will answer basic questions about an Information Security program, such as:
- What exactly is an Information Security Program?
- What is it comprised of?
- Who does what?
- What good does it do?
- How do we get started?
Your Information Security program is initially created as a project. Once in place, the program itself is sustainable and persistent.
The program exists as a set of policies and procedures covering all aspects of your business operations, including management tasks to provide oversight and quality control. When designed and implemented properly, it will foster a culture where employees will consider security in every action they take, without inhibiting productivity.
The Project
Here is some brief information about initially creating the Information Security program. The process will look familiar if you have project management experience or training.
- Collect business information: Master business plan, statement of objectives and activities, list of assets, resources, and critical functions
- Document risk tolerance thresholds as defined by management
- Determine information security goals
- Develop the project charter, including purpose, scope, objectives, and deliverables.
- Develop project management plan
- Direct and manage project execution
- Monitor and control project work
- Close project
The Deliverables
When the project is complete, you will have:
- Security Management Strategy
- Threat Modeling Chart
- Risk Management Plan
- Vulnerabilities Management Plan
- Information Security Policy
- Training/Awareness Plan
- Incident Response and Disaster Recovery plans
- Monitoring Plan
The Information Security Policy will be the most visible to users and mid-level managers. It will direct all information security with standards, procedures, and guidelines. This will include directing how security is integrated into your company's core operations, as well as additional tasks, such as training events.
Each of these plans will have methods for reviewing their success in meeting your objectives, with defined key performance indicators and data collection methodology, so your assigned Information Security Officer can oversee continuous application and maintenance of your Information Security Program in a methodical and effective manner. Depending on your company's size, you may not have an individual who works only as the Information Security Officer, so you can assign that function to someone as an additional role to his or her normal job.
Practical Effects
The greatest overall value of having a working Information Security program is to give you comprehensive visibility of your operations in relation to your knowledge assets, and your plan to mitigate threats to confidentiality, integrity, and availability. That is, you will know where your data is, who has access to it, what they are doing with it, and how it's protected from unauthorized access, corruption, or loss.
It will also give the correct answers to a slew of questions. How many of these do you currently have covered?
- Are permissions properly managed for your applications and documents?
- Do your employees and partners consider information security when doing their work, or do they take shortcuts to get their tasks done no matter what?
- Do users save your company's data in cloud storage accounts that are tied to their privately owned e-mail addresses, outside your company's control?
- When an employee is terminated (or a contractor's term ends), do you have procedures in place to ensure all login accounts are disabled, equipment is recovered, and company data on the worker's privately-owned mobile device is removed? Are those procedures followed?
- Do your employees know how to detect and resist social engineering attempts to compromise your system?
- Do you have automated systems to detect insider data breach? Should you?
- Are your passwords under control? Who has passwords to what? Who should have passwords to your critical systems and accounts?
- Is your company subject to privacy regulations? That is, are there rules that specify what you can do with customer data, breach notification requirements, and system configuration security standards? Do you have internal procedures and technology to comply and avoid fines?
- Do you have a forensic plan, to figure out what happened after a breach so you can take measures to mitigate the damage?
- Should you purchase advanced technological tools for security, such as data loss prevention technology, third-party e-mail security, or a cloud access security broker? If so, what product or products should you get, and how should you deploy it? Read more about tools and technology for information security (opens in a new tab).
- If your company produces customer-facing software, do your developers employ sound methodology to prevent coding flaws that could allow breaches into your application?
- Is your workstation and server software being updated to address known security flaws often enough?
- If you have a server on site, what will happen if it shuts down? Or your database disappears?
- Is your network segmented? That is, do you separate end-user owned and guest devices from your production data? Should it be?
- Is your data classified? How often should each class of data be backed up, if at all? How far back should you be able to go? Should it be local or offsite?
- Is your data backup monitored? Or did you rely on set-and-forget? If your files vanished, do you know for sure you can get them back?
- How long should data be retained? Where should you archive it?
- Where do your employees keep their files? Are there files that reside only on their laptops, inaccessible to anyone else, and subject to permanent loss if the laptop fails?
- If all your data is deleted, or encrypted from ransomware, how long will it take to restore what you need to get back to work? How long will it take to restore everything?
It's not just data that's covered by your program, but all assets and tools you use, such as your on-premises IT equipment, users' devices, and website or cloud subscription accounts of any kind. Even services that might not seem related to your company's operations, such as software subscriptions, or social media (Twitter, Facebook, etc.), can represent threats to your information security because of the fact that so many sites enable linking login accounts. This means a security flaw in one of these seemingly irrelevant accounts can lead to a major compromise of your company's information. An Information Security program will help manage all of this.
Epilogue
To get started, contact J.D. Fox Exec today.