How Strong is Your Information Security Program?
Traditionally, documented security policies have been viewed as nothing more than a regulatory requirement. While this may have been true in the past, building a strong information security program (ISP) is a business imperative as you fight to keep the customers you have and work to attract new ones. Your information security policies can either work to help you grow your business or signal a red flag that security is not a top priority.
No matter how strong your security posture is now, if you don’t document it, it won’t last. You must assume that people instrumental in building your security environment will eventually move on. In that respect, training the replacement is a lot less painful and much more effective with a written guide. Without a policy manual, the new employee would eventually learn what to do but would you really want to risk a security incident while they are trying to figure it out?
It’s important to understand that there is no procedure, policy, or technology that will ever be 100% secure. It just doesn’t exist. You can, however, endeavor to get as close to perfect as possible.
Lack of a documented security policy is a huge red flag when determining liability in the event of an incident. You do not know when the next attack will happen and if someone is aggressively targeting you, they will cause pain. When it comes time to defend yourself, no matter the strength of your security environment, the lack of a documented information security program is a message that management has not taken data security seriously. This perception becomes increasingly dangerous when we’re talking about a court of law and an untold number of potential customers in the court of public opinion.
Whether you are currently without a policy or want to ascertain where yours fits along the continuum, here are key components that should be in a best practices ISP.
Information Security Best Practices: The Information Security Officer
The first thing that any security program must do is establish the presence of the Information Security Officer. Depending on the size of your security environment, this could be a full-time position or a current employee who has the availability to take on further duties.
Besides the time element, the organization must clearly define the expectations of the Information Security Officer and determine if an individual is capable to fill the role. During a later post I will describe the attributes that ascertain “capability”, but the complete lack of someone in this role means that information security is not a priority in your organization.
Information Security Best Practices: End User Acceptable Use Guidelines
Your policy should contain specific language detailing what employees can do with “your” workstations. While we hope that all company property is used for company purposes, this just isn’t the case in real life. Instruct employees as to what is considered business use and explain the risks of downloading games or using tools like instant messaging.
Information Security Best Practices: Software Updates and Patches
What’s your stance when it comes to patch management? Do you require patches and upgrades to be implemented immediately? Are you sure you’re actually doing what your policy says?
Random checks to confirm you are following your own rules is the best way to monitor the activity.
If you’re scratching your head at my use of the phrase “patch management”, understand that if you don’t keep up to date on your system patches and upgrades, you leave yourself wide open for the most basic of hacks. If you never update, your vulnerabilities are exponentially increased. Your best practices Information Security Program should clearly document your patch management procedures and frequency of the updates.
Information Security Best Practices: Vendor Management
You’re only as strong as your weakest link, and when you work with third-party providers their information security downfall can become your issue. Make sure you document which vendors receive confidential information and how this information is treated when in the custody of the vendor. The lack of strict vendor guidelines could increase the risk of releasing your customers’ private information.
- Top 5 Information Security Trends in 2013 (acunetix.com)
- The CIA Triad – Assurance on Information Security (bharathraob.wordpress.com)
- The Essentials of Information Security Kit (net-security.org)
- Recommendations for strengthening cyber security policies (net-security.org)