Roadmap to Implementing a Successful Information Security Program
Be it for proprietary information or personal information of customers, a security program and recovery plan are essential components of doing business in a digital age. Below is a simplified roadmap to help your business implement a successful information security program.
Step 1: Create an Information Security Team
Your first step should be to assign team members to manage the creation of the information security program. This team will manage the building of the security framework of the program and system design. The team should consist of an executive sponsor and a management-level member from each department of the organization. Some of the team’s responsibilities may include
- Creating an inventory of physical and digital assets
- Assigning managers or owners to each asset
- Identifying regulatory compliance and standards as required
Step 2: Design a Plan for Incident Management and Disaster Recovery
One of the most critical steps in implementing an effective Information Security Program is to implement a robust Incident Management program to identify and resolve security and operational issues with its organization. To ensure an Incident Management program is providing the most assurance possible, it is critical for an organization to implement an Incident Response Policy that includes procedures for:
- Incident handling – procedures to collect, assess, and have appropriate actions taken to resolve the incident;
- Incident escalation plan – defined incident classifications (i.e., high, medium, low impact) and instructions for handling and escalating incidents in each classification;
- Roles and responsibilities – document the employees responsible for each phase of the incident resolution process such as responsibilities for monitoring, identifying, and resolving incidents;
- Incident testing – perform and document incident response testing such as tabletop or simulation exercises;
- Incident reporting and monitoring – procedures for reporting incidents to stakeholders, including maintaining documentation of each step of the resolution process and implement automated measures to assist in the identifying, tracking and notification of incidents (i.e., Intrusion Detection and Prevention Systems); and
- Post-incident lessons learned – regularly occurring meetings in which management reviews incidents and develops plans for preventing similar incidents in the future.
By implementing an effective Incident Management Program provides an organization additional insight and guidance when developing a Business Continuity and Disaster Recovery Plan. The information security team should come up with a plan for recovering from a disaster or major incident. Whether it is internal tampering with the system, an external hacker hijacking information or a power outage from a natural disaster. What will your company do if this occurs? Who is responsible for each stage of the plan? What are the Recovery Time and Recovery Point Objectives? A plan detailing what to do and the roles of each employee will help the company to recover from the disaster as soon as possible.
Step 3: Assess and Manage Risks
Where are the vulnerabilities in your current information security program? What are the critical assets within the company that could be vulnerable to external attacks? Which systems and data are the most critical to secure? Where are the systems and data physically located and how are those locations secured? Which vendors does the company use and what services are provided? A thorough risk assessment can help you identify where you need to shore up your physical and digital defenses to mitigate internal and external risk factors. Then take the necessary steps to manage those risks.
Step 4: Train Employees
Now that you have an information security team who has developed a plan, prepared for major incidents and assessed the risks, it’s time to bring the rest of your employees up to date on protocols and expectations. Any time a policy or procedure changes, your employees need to be brought up to date. It is also important to document and retain evidence of training to verify that employees are consistently educated on their responsibilities as it pertains to information security.
Step 5: Manage Accessibility
Many threats to system security are internal. Something as simple as not checking a third party’s access to the database or forgetting to disable a former employee’s user name and password can leave an entire system vulnerable. Because internal users are responsible for activities such as network configuration, database management, application security, etc., there is a risk of the user performing activities to compromise the integrity and privacy of customer data. Manage accessibility to ensure that only trustworthy individuals have access and that third parties accessing your systems have sufficient security measures in place. Some methods for managing the threat of an internal user compromising a system and/or data include:
- Grant access to users on a ‘Need-to-Know’ or ‘Least Privilege’ basis, providing users access based on their job responsibilities; and
- Implementing a process to log and review user activity
Step 6: Annual Audit
Once an information security program is in place at your company, a great way to to determine the effectiveness of the program is to hire a third-party assessor to perform vulnerability assessments and/or audits of the program. A vulnerability assessment could include penetration tests and automated scanning tools to identify weaknesses in networks, systems and applications. In addition, a third-party assessor could be hired to perform audits against criteria such as ISO 27001, PCI DSS, FedRAMP, and HITRUST; as well as SOC 2® Reports using the AICPA Trust Service Principles.
Creating a team to focus on the design and implementation of an information security program is the first step. Once the team has done its job, test your new program with an audit and mitigate any risks that crop up. For more information on information security programs and assessments, contact Barr Assurance & Advisory Inc.