It’s difficult for all organizations, not just those who are middle market, to navigate their information security risks and set up strong programs to address those issues. Organization also often fear that establishing an information security program will be costly and time-consuming.
However, smart organizations accept they will face a breach eventually, and there’s a point where precious capital needs to go towards prevention instead of just responding to a security incident.
A more practical approach is to create a cost-effective information security program, by utilizing some readily available tools, that’s based on preventing threats specific to your organization.
In our article, we’ll break down the process of creating an information security program into six steps and address the following:
What Is an Information Security Program?
An information security program is comprised of the processes and mechanisms, including technical, administrative, and physical safeguards, designed to protect the security and functionality of your organization from any potential hazards and unauthorized access of its data.
What Are Some Basic, Foundational Information Security Controls?
- Perform due diligence with third parties and business partners that handle sensitive data on your behalf
- Monitor critical systems where sensitive information resides
- Implement encryption for critical business data
- Have a comprehensive vulnerability management program and a well-crafted incident response plan to quickly identify and remediate vulnerabilities
- Test these programs annually
- Understand and define who owns information security within the business to assess the existence of proper governance
- Train and educate all employees, especially those who interact with high-risk data, so they understand the associated risks and responsibilities as well as best practices to safeguard it
What Is a Risk-Based Approach to Security Compliance?
When an IT breach makes headlines, the first response for many businesses is to identify the source of the breach and rush to make sure that particular breach can’t happen to them.
However, this often leads to an ongoing game of whack-a-mole because the culprits are constantly changing their techniques, tactics, and processes.
What was once an effective breach technique could morph into a new strain of malware or another technique that wasn’t anticipated or even previously known, which still leaves you vulnerable.
When your organization takes a more risk-based approach to security compliance, it anticipates and projects problems that might occur to prepare its potential responses and solutions ahead of time. A strong information security program could help you prevent breaches instead of react to them.
Build Your Information Security Program in Six Steps
There are six steps to implement this type of strategy:
- Identify your assets and related threats
- Identify and prioritize risks
- Implement foundational information security controls
- Build a robust information security program
- Develop a security improvement roadmap
- Establish executive support and organizational engagement around the program
Once you implement these steps, they could help keep risk at an acceptable level, so key stakeholders can respond quickly and appropriately to future threats.
Identify Assets and Related Threats
First, take stock of the data you have, then assess its value and threats that may impact it.
The elements necessary to begin building an effective risk-based program include knowing all about your data, including:
- Access rights
- Threats likely to materialize
A surprising number of organizations don’t know exactly where all their sensitive data resides.
For example, if your organization uses a third-party vendor as part of its IT ecosystem, and most organizations do, your data could be replicated and backed up in multiple places unknown to you.
Identify and Prioritize Risks
Identifying risk encompasses an examination of the people, processes, and systems with which your organization interacts.
Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach. It’s also helpful to look ahead at emerging threats.
Implement Foundational Information Security Controls
After you identify risks, you can implement the foundational security controls and processes mentioned above. These should be operational and tested on a regular basis regardless of business size or complexity.
Your testing schedule will depend on several factors including your business model, information architecture, and risk exposure.
Build a Robust Information Security Program
Consider the following areas:
- Governance and management. Create organizational structure, processes, and leadership to define, manage, measure, and keep risk within tolerable levels.
- Threat management. Understand your adversaries and their tactics, techniques, and procedures to put appropriate protections in place and to help anticipate future threats.
- Security monitoring and analysis. Detect threats with even a basic security log to monitor your system and perform analysis on its output. The quick discovery of an intruder could be the difference between a security incident versus a full-scale breach.
- Incident response. Perform a mock incident event on an annual basis to test the program design. It’s important to have a defined process, engaged stakeholders, and native security logs available.
- Data security. Protect against unauthorized access to sensitive data by making sure inhouse tools like firewalls and security information and event management (SIEM) technology are installed and configured correctly.
- Infrastructure security. Choose adequate systems designed to protect an internet-connected business.
In addition to these core components, consider and implement input from internal audit, legal, and assurance departments so regulatory requirements and compliance standards are met.
Develop a Security Improvement Roadmap
Use your risk prioritization scorecard and chart to select the top risks to be reduce first. Typically, you can find these in the upper right quadrant of the risk prioritization chart.
This could involve process changes, incorporating new or updated technology into the organization, or additional staffing. These remediation efforts become the basis for new roadmap projects.
Costs, timelines, and staffing needs are identified for each project, along with estimated risk reduction values. Depending on the information security maturity of the business, the projects can be foundational, advanced, administrative, or technical in nature.
Establish Executive Support and Organizational Engagement
It’s the responsibility of information security leadership to clearly articulate the value of funding these programs and their potential to executive leadership.
One of leadership’s most important tasks is to secure appropriate funding and resources, which can be a daunting obstacle, especially if there’s a trend within the organization towards a higher-than-average risk tolerance.
However, information security should be an active board room topic. If it’s not, find a supporter or executive sponsor for the information security program. Inform this sponsor about information security, what the program aims to achieve, and expectations for the executive leaders so they can support security initiatives.
Quantifying risk in terms of dollars spent versus dollars lost is an effective way to get the attention and support of executive leadership.
What Is a Risk Prioritization Scorecard?
Once risks are identified, you can rank them based on operational goals, business risk tolerance, regulatory considerations, and other criteria dependent on what’s most important to the business. The processes that handle sensitive data must also be known and documented.
One you’re familiar with sensitive data and its possible threats, you can develop a risk prioritization scorecard. The scorecard catalogues each risk in a spreadsheet, and measures its impact against whether confidentiality, integrity, or availability could be compromised.
The individual risks are then plotted on an X-Y graph with likelihood to occur on the X axis and impact of occurrence on the Y axis. The risk prioritization chart, derived from the risk scorecard, visually shows in the upper right quadrant the most likely and impactful risks facing the business—and those that should be addressed first.
While this process is somewhat subjective and qualitative, take care to build it carefully because it will serve to inform executive leadership of the business risk profile.
We’re Here to Help
To learn more about how you can protect your organization with a cost-effective information security program, contact your Moss Adams professional.