Building an Information Security Program
If the chicken is security and the egg is compliance, which comes first? If you think about it based on the answers to these next questions you might answer Security. What do I need to keep my organizational assets safe? – Security Do I need a framework to know my organization’s assets are safe? – Yes, compliance.
Can you have security in place without compliance? Of course you can. But how will you measure your security posture and maturity without following a compliance framework?
Ok, enough with the chicken and the egg conundrum, I could go on forever. As global regulations increase in scope and complexity, and security threats multiply exponentially, organizations are put in a position where they must decide where to invest, security or compliance. Our solution to this question is to build an Information Security Program which balances the need for stronger security and define a compliance structure based on the guidelines, regulations and legislation which your organization must adhere.
You can develop and implement an Information Security Program using these key steps;
- Identify the Compliance Framework that will be the basis of the security program
- Establish a Security Management Structure
- Perform a risk assessment and review the findings of the assessment in the context of the selected Compliance Framework
- Identify risk levels and establish a priority for developing policies, procedures and controls around these risks
- Implement an active training and education program.
It’s key to note these are not onetime actions, but are iterative steps used to mature the security posture and program over time.
Identify the Compliance Framework
Choosing a compliance framework has a couple of advantages. First, the framework represents the collective guidance of other organizations which have implemented security programs using the chosen framework. These frameworks are designed so they can be tailored to meet your organization’s requirements. Second, by adopting a framework, you bring a common security vocabulary and understanding of security to your organization, leading to greater collaboration and communication.
Several common frameworks are available for you to build your Information Security Program:
- NIST 800-XX (several publications available based on whether federal or non-federal)
- ISO 27001
These frameworks provide guidance on the key elements of a security program: Governance, Policies, Risk Management, Training and Awareness, Security Controls and Continuous Monitoring.
Establish a Security Management Structure/Committee
Establishing an Information Security Committee is a critical step and needs leadership buy-in from throughout your organization. The person who ultimately is responsible for the security budget should lead the Committee and have support from all areas of the organization, especially Human Resources and Legal. Their early involvement ensures mutual cooperation in the establishment of policies and procedures which affect your entire organization.
The Committee generally provides guidance on the activities which appear below. This list is not intended to be inclusive nor exhaustive, but captures the general scope of activities to be performed:
- Governance: The Committee serves as the governing body for the creation, revision, education, awareness, and enforcement of all policies, standards and procedures whether internal or contractual.
- Risk: The Committee is accountable to ensure an appropriate risk posture is assessed and maintained to protect the employees, intellectual property, customer property, and alignment with regulatory requirements.
- Communication: The Committee is accountable for conveying incidents and status to the Chief Executive Officer, Board of Directors, and as appropriate, to employees, customers, media and regulators.
- Decision: Through appropriate governance, assessment, and communication, the Committee will act as a decision-making body on all items pertaining to the Security and Compliance posture and will engage the Chief Executive Officer and others as needed to enable appropriate decisions.
Perform a Risk Assessment and Identify Risk Levels
Assessing your organization’s risk is another of the important, beginning steps in developing an Information Security Program. Without an understanding of your risk you will not be able to determine the proper policies, procedures, guidelines and standards needed to ensure adequate controls are put in place. The risk assessment has three major components: Threat Assessment, Vulnerability Assessment and Asset Identification.
After completing the threat and vulnerability assessments and identifying your at risk assets, you balance and prioritize your remediation based on determined risk and cost to remediate. The decision-making process to prioritize these risks typically uses a lot of your professional judgement as it is not always a black and white decision. Knowing where your greatest risks reside and which of those risks need short-term attention, allows you to build the backbone of your security road-map. Having this risk assessment, with prioritized risks on your road-map, you can now address these elements of the program: Risk Management, Security Controls, Policies and Monitoring.
Implement an Active Training and Security Awareness Program
Having established your policies, procedures, guidelines and standards, based on your risk assessment and compliance framework, it’s time to start letting everyone know they exist, and start the education and training process. An Awareness and Training program is critical to their implementation and crucial to the success of the Information Security Program. Security Awareness needs to be visible to employees on a regular basis. If all your hard work just sits around and collects dust then you have wasted a lot of time and effort. Annual Security Awareness training is absolutely necessary to keep everyone up to date on the latest security information, but as equally important are brief email updates, newsletters, posters and other reminders.
Summary and Conclusion
Creating an Information Security Program supports an incremental approach towards maturing your organization’s security and compliance.
Choosing a compliance framework introduces a common security vocabulary and improves communication around security issues. Performing a risk assessment, within the context of your framework, identifies the areas with the highest risk, thus prioritizing the policies, procedures and security controls to implement. Continuous auditing and monitoring the work and effort put into the program is the true test of whether the program is accomplishing its goal and securing your organization. The awareness and training is the cornerstone for building a culture of security and compliance.
An iterative approach to building an Information Security Program affords your organization the ability to set the pace at which the Information Security Program grows and matures. The availability of your resources and personnel, along with the known accepted risk, determines how fast the program matures. Whether you’re a fan of the chicken or the egg, your organization’s security posture will continue to get stronger and stronger as you implement and mature your Information Security Program.
You don’t really need to answer the question of which came first, the chicken or the egg, to secure your organization. You need your security and compliance programs to be proactive, and work together to to build an Information Security Program and avoid security failures within your organization. Competing priorities and lack of resources often prevent us from establishing an Information Security Program. If you need help in developing, implementing or maturing your program Sienna Group can provide a customized approach to security and compliance based on our prior industry experience and best practices, and your priorities and resources.