Building an Information Security Program

| By:
Frank DePrisco
Which comes first, the chicken or the egg?  

If the chicken is security and the egg is compliance, which comes first?  Both are needed to build an information security program. If you think about it based on the answers to these next questions, you will probably come up with two right answers. What do I need to keep my organizational assets safe? Answer, security, the chicken. Do I need a framework to know my organization’s assets are safe? Yes, compliance, the egg.  

Can you have security in place without compliance? Of course, you can. But how will you measure your security posture and maturity without following a compliance framework?  

Ok, enough with the chicken and the egg question, as I could go on forever. With the number of small to medium businesses that outsource their IT operations and services to the partner MSP community, it is important to establish mature cybersecurity and compliance practices to better address the unique risks, threats, and attacks that accompany the shared services model within the MSP community. As global regulations increase in scope and complexity, and security threats multiply exponentially, organizations find themselves in a position of deciding where to invest, security or compliance. The solution to this question is to build an Information Security Program which balances the need for more robust security and defines a compliance structure based on the guidelines, regulations, and legislation to which your organization must adhere.  

The approach  

You can develop and implement an Information Security Program using these key steps.  

  • Identify the Compliance Framework that will be the basis of the security program.  
  • Establish a Security Management Structure.  
  • Perform a risk assessment and review the assessment findings within the context of the selected Compliance Framework.  
  • Identify risk levels and establish a priority for developing policies, procedures, and controls around these risks.  
  • Implement an active training and education program.  

It is critical to note these are not just one-time actions. These are iterative steps used to mature the security posture and program over time.  

Identify the compliance framework  

Choosing a compliance framework has a couple of advantages. First, the framework represents the collective guidance of other organizations that have implemented security programs using the chosen framework. Many security and compliance frameworks are designed with the flexibility to be easily tailored to meet your organization’s requirements. Second, by adopting a framework, you bring a common vocabulary and understanding of security and compliance to your organization, leading to greater collaboration and communication across business operations.  

Several common frameworks are available for you to build your Information Security Program:  

  • IT Nation Secure MSP+ Cybersecurity Framework – designed for MSPs and defines what good cybersecurity looks like.  
  • NIST 800-XX – several publications available based on whether federal or non-federal.  
  • ISO/IEC 27001 – widely known, providing requirements for an information security management system.  
  • COBIT – COBIT® 2019 is the most recent evolution of ISACA’s globally recognized and utilized COBIT framework.  

These frameworks provide guidance on the core elements of a security program: Governance, Policies, Risk Management, Training and Awareness, Security Controls, and Continuous Monitoring.  

Establish a security management structure/committee  

Establishing an Information Security Committee is a critical step and needs leadership buy-in from throughout your organization. The person who ultimately is responsible for the security budget should lead the Committee and have support from all areas of the organization, especially Human Resources and Legal. Their early involvement ensures cooperation in the establishment of policies and procedures which affect the entire organization.  

The Committee generally provides guidance on the activities which appear below. This list is not intended to be inclusive, nor exhaustive, but captures the general scope of activities to be performed:  

  • Governance: The Committee serves as the governing body for the creation, revision, education, awareness, and enforcement of all policies, standards, and procedures, whether internal or contractual.  
  • Risk: The Committee is accountable for ensuring an appropriate risk posture is assessed and maintained to protect the employees, intellectual property, customer property, and alignment with regulatory requirements.  
  • Communication: The Committee is accountable for conveying incidents and status to the Chief Executive Officer, Board of Directors, and as appropriate, to employees, customers, media, and regulators.  
  • Decision: Through appropriate governance, assessment, and communication, the Committee will act as a decision-making body on all items pertaining to the Security and Compliance posture and will engage the Chief Executive Officer and others as needed to enable appropriate decisions.  
Perform a risk assessment and identify risk levels  

Assessing your organization’s risk is an important, beginning step in developing an Information Security Program. Without an understanding of your risk, you will not be able to determine the proper policies, procedures, guidelines, and standards needed to ensure the placement of adequate controls. The risk assessment has three major components: Threat Assessment, Vulnerability Assessment, and Asset Identification.  

After completing the threat and vulnerability assessments and identifying your at-risk assets, you must balance and prioritize your remediation based on determined risk and cost to remediate. As this method does not always distill down to an obvious choice, the decision-making process to prioritize these risks typically requires heavy reliance upon your experience and professional judgment. Knowing where your most significant risks reside, and which of those risks need short-term attention, allows you to build the backbone of your security roadmap. With this risk assessment, with prioritized risks on your roadmap, you can now address these additional program elements: Risk Management, Security Controls, Policies, and Monitoring.  

Implement an active training and security awareness program  

Having established your policies, procedures, guidelines, and standards, based on your risk assessment and compliance framework, their existence must be shared and circulated across the organization through the education and training process. An Awareness and Training program is critical to their implementation and crucial to the Information Security Program’s success. Security Awareness needs to be visible to employees on a regular basis. If all your hard work only sits around and collects dust on a shelf or slowly degrades as a digital file, then you have wasted a lot of time and effort to not make it past the goal line. Annual Security Awareness training is necessary to keep everyone up to date on the latest security information. It is also equally important to provide brief email updates, newsletters, posters, and other reminders throughout the year.  

Summary and conclusion  

Creating an Information Security Program supports an incremental approach towards maturing your organization’s security and compliance.  

Choosing a compliance framework introduces a common security vocabulary and improves communication around security issues. Within the context of your framework, performing a risk assessment identifies the areas with the highest risk, thus prioritizing the policies, procedures, and security controls to implement. Continuous auditing and monitoring of the work and effort put into the program is the real test of whether the program is accomplishing its goal and securing your organization. Awareness and training are the cornerstones for building a culture of security and compliance throughout your organization.  

An iterative approach to building an Information Security Program affords your organization the ability to set the pace at which the Information Security Program grows and matures. The availability of your resources and personnel, along with the known, accepted risk, determines how fast the program evolves and matures. Whether you think the chicken, or the egg, came first, your organization’s security posture will continue to get stronger and stronger as you implement and develop your Information Security Program.  

You do not really need to answer the question of which came first, the chicken or the egg, to secure your organization. However, you do need your security and compliance programs to be proactive and work together to build an Information Security Program and avoid security failures within your organization. Competing priorities and lack of resources often prevent us from establishing an Information Security Program. If you need help in developing, implementing, or maturing your program, make sure you download the MSP+ Cybersecurity Framework and the Fundamentals (Yellow), Advanced (Green), and Masters (Blue) books to guide you on your journey.