Formalizing your information security program is a critical step to drive information security capability maturation in any organization. The intent of formalizing a program is to get clear on focus and ensure everyone is on the same page about who is doing what.
From our experience, building a great information security program starts with asking the right questions. At Avalution, we build information security programs from the top down, starting with the strategy of the business and focusing on the following five key questions:
- Why do we have an information security program?
- What are we going to protect?
- How are we going to achieve it?
- Who is responsible and accountable?
- What are the results going to look like?
Let’s take a closer at each.
Why do we have an information security program?
Most information security programs exist to address a combination of the following reasons:
Regulations Require It: In heavily regulated industries, such as healthcare, finance, and utilities, regulations demand strong information security programs. Outside of these industries, the most common regulations are focused on personally identifiable information (PII), personal health information (PHI), and payment card information (PCI). Any organization that holds this type of data (on employees and/or customers) is required, through regulatory action, to protect the information. These requirements vary by industry and location/jurisdiction, but your ability to demonstrate that your organization has sufficient security protections in place can save you from a range of penalties and fines.
Customers Expect It: Most business to consumer (B2C) organizations have their customer information regulated as noted above. However, for business to business (B2B) organizations, your customers likely expect the data they provide you to be adequately protected. In fact, most enterprise contracts now require a minimum level of protection for confidential information provided. Understanding what customer commitments exist and how customer data is stored and protected is often a key part of assessing information security risk.
Protecting the Value of the Organization for Owners/Shareholders: Even if you’ve avoided any regulatory concerns and your customers aren’t worried about information security, most organizations still pursue an information security program to protect the value of the organization. Management is expected to protect sensitive internal information, such as intellectual property, transaction history, financial results, and competitive analysis. Failure to do so creates direct exposure that can reduce the value of the company. And then there are the litigation expenses due to a failure to protect or act, but that’s a topic we’ll cover another day.
Getting clear on the motivations for having an information security program helps provide an understanding of management’s risk tolerance and how to present the results of the program.
What are we going to protect?
There are two paths available when considering what needs protected. We call them general control-based and risk-based.
General Controls-Based: This is the default for many organizations. It involves picking a reference framework, usually ISO 27001, NIST 800-53, or the Center for Internet Security (CIS) standard, and applying the security controls they recommend. Most of these controls can be applied to the entire organization, which is why they’re called general controls. And, by aligning to the controls in a standard, you can reasonably claim an adequate security posture.
With a general controls-based approach, management’s role is to review and approve deviations from the framework based on their risk appetite. In addition, management is responsible for ensuring selected controls are implemented effectively and tested regularly.
Risk-Based: The other approach is to understand the risk to your organization and to your information assets. Similar to the controls-based approach, there are multiple risk frameworks available, such as NIST 800-37 and another model available from the FAIR Institute. As described below, this approach requires more upfront work with assessing and defining risk, but it enables a more targeted, risk-based solution. This is key for organizations concerned about new and trending threats or their unique information structure and distribution, as they are not likely to have been included in the current frameworks.
To pursue a risk-based approach, we first need to identify what information is important to secure and what is not. This process is known as data classification, and most organizations use a classification scheme similar to the following:
- Public – no impact to disclosure
- Internal Use – minor impact to disclosure
- Confidential – significant impact to disclosure
- Regulated – has specific regulatory requirements
The objective is to understand the degree of data sensitivity associated with each application in your environment. You can collect this information by interviewing or surveying application owners in IT or the business. However, we recommend an interview-based approach, as it gives you the opportunity to ask questions and drill deeper – ensuring you get the correct information the first time.
The output of the classification process can be summarized using a table similar to the example below. Note: In addition to identifying regulated data, it’s critical to understand what regulations govern use of the data.
When there are multiple classifications for one system, the strictest classification should be used. As this summary is developed, it provides you a roadmap for prioritizing information security activities on the most critical information repositories. As new applications are added to the environment, this process can be repeated in a consistent and uniform manner.
How are we going to achieve our goal?
When everyone is clear on why we have a program and what we’re going to protect, we can then begin to focus on how to protect it. The toolkit to address this process is well defined, as the standards mentioned above – ISO 27001, NIST 800-53, and Center for Internet Security (CIS) standards – provide a comprehensive library of control objectives and controls. These controls generally fall into the following categories:
- Security Policies
- Physical Security
- Personnel Security
- System & Data Identification
- Incident Response
- System Security Plans
- System Development Life Cycle
- Configuration Management
- Training & Awareness
- System Documentation
- Disaster Recovery
The information security team should review controls from these groups based on the priorities identified above and the risk associated with the information. This effort may spawn additional projects to implement the supporting control procedures throughout the organization.
Who is Responsible and Accountable?
The first step in addressing the ‘who’ is to identify someone to own the information security program. This person can be internal or external, depending on your circumstances, but they are responsible for executing of the program and reporting back to management. This person can hold a range of titles, including Chief Information Security Officer, Manager of Information Security, Director of Information Security, etc.
Once that person is established, they need mechanisms to coordinate with these key groups:
- Business Leaders;
- IT leadership;
- Internal Audit; and
- Compliance (if applicable).
The coordination mechanism is often via existing committees or groups, but if none exist, then an Information Security Steering Committee may be needed to provide oversight and governance from across the business.
When coordinating with the business, topics need to focus on the overall security posture of the organization, key risks, and driving alignment on risk tolerance across business groups.
When coordinating with IT, topics are more commonly focused on information security project prioritization, controls gaps, and technology control performance measures.
Finally, when talking about ‘who’ in information security, it’s important to keep in mind that every employee in the organization has a responsibility for information security. Formalizing these responsibilities provides the information security program manager the framework to establish organization-wide protections, such as an ‘Acceptable Use Policy for Technology.
What will the results look like?
Information security programs use a combination of program metrics and performance metrics:
- Program Metrics focus on alignment to expectations – either alignment to regulations, control frameworks, or third-party standards. Often these are generated as the result of an audit or compliance review (internal or external).
- Performance Metrics focus on capabilities, and answer questions such as: Efficiency and effectiveness of access management? Number and types of network attacks detected and resolved? Hardening and management of infrastructure to documented standards? Are we secure? Are we prepared to respond? These metrics are more difficult to develop and maintain, but allows the program effectiveness to be measured the way that business leaders think.
Beyond metrics, Senior Management should be engaged regularly (typically monthly) to review the status of the information security program. Key topics include:
- Changes in external and internal areas that may impact the information security program.
- Feedback on the status of the information security program, including:
- Program and performance metrics
- Trends and status on corrective actions and risk treatment plans
- Audit results
- Feedback from interested parties
- Discussion of any risks above the organization’s risk threshold to develop a risk treatment plan.
This meeting should be documented, and the action items identified and reviewed for resolution at the beginning of the next meeting.
Formalizing an information security program is the KEY solution to address a range of common information security issues:
Lack of Management Interest, Understanding, or Commitment: Get management involved and focused on the value of the organization’s information assets and the threats to those assets early on. Gaining buy-in from management is critical for gaining the support you need to implement an effective information security program throughout the organization.
Lack of Focus: Information security professionals care deeply about doing the right thing, and it’s easy to get overwhelmed with all the gaps and controls that must be put in place. However, an information security program with strong governance aids in focusing the team on the most important risks and controls, first.
Lack of Consistency: Without a comprehensive information security program with executive management engagement, individual departments are left to determine their own level of information security risk tolerance – leading to areas with strong information security awareness and controls existing alongside other business units with insufficient controls protecting similar assets, which provides a route through the organization’s perimeter defenses.