How Strong is Your Information Security Program?

Traditionally, documented security policies have been viewed as nothing more than a dictatorial requirement. While this may have been right in the past, construction a strong information security program (ISP) is a business imperative as you fight to keep the customers you have and work to attract new ones. Your information security policies can either work to help you grow your business or signal a red flag that security is not a top priority.

No matter how strong your security posture is now, if you don’t paper it, it won’t last. You must assume that public instrumental in construction your security environment will eventually go on. In that respect, training the replacement is a lot less painful and much more powerful with a written guide. Without a policy blue-collar, the new employee would eventually learn what to do but would you really want to risk a security incident while they are trying to figure it out?

It’s vital to know that there is no procedure, policy, or technology that will ever be 100% reliable. It just doesn’t exist. You can, though, endeavor to get as close to perfect as possible.

Lack of a documented security policy is a huge red flag when determining liability in the event of an incident. You do not know when the next attack will happen and if someone is aggressively targeting you, they will cause pain. When it comes time to defend yourself, no matter the might of your security environment, the lack of a documented information security program is a message that management has not taken data security seriously. This perception becomes increasingly perilous when we’re talking about a court of law and an untold number of potential customers in the court of public opinion.

Whether you are currently without a policy or want to ascertain where yours fits along the continuum, here are key components that should be in a best practices ISP.

Information Security Best Practices: The Information Security Officer

The first thing that any security program must do is establish the presence of the Information Security Officer. Depending on the size of your security environment, this could be a full-time position or a current employee who has the availability to take on further duties.

Besides the time element, the organization must visibly define the expectations of the Information Security Officer and determine if an individual is capable to fill the role. During a later post I will describe the attributes that ascertain “capability”, but the complete lack of someone in this role means that information security is not a priority in your organization.

Information Security Best Practices: End User Acceptable Use Guidelines

Your policy should contain specific language detailing what employees can do with “your” workstations. While we hope that all company property is used for company purposes, this just isn’t the case in real life. Instruct employees as to what is considered business use and clarify the risks of downloading games or using tools like instant messaging.

Information Security Best Practices: Software Updates and Patches

What’s your stance when it comes to patch management? Do you require patches and upgrades to be implemented immediately? Are you sure you’re really doing what your policy says?

Random checks to confirm you are following your own rules is the best way to watch the activity.

If you’re scratching your head at my use of the phrase “patch management”, know that if you don’t keep up to date on your system patches and upgrades, you leave yourself wide open for the most basic of hacks. If you never update, your vulnerabilities are exponentially increased. Your best practices Information Security Program should visibly paper your patch management procedures and frequency of the updates.

Information Security Best Practices: Vendor Management

You’re only as strong as your weakest link, and when you work with third-party providers their information security downfall can become your issue. Make sure you paper which vendors receive confidential information and how this information is treated when in the custody of the vendor. The lack of strict vendor guidelines could boost the risk of releasing your customers’ private information.

Information Security Best Practices: Physical Security

ID don’t walk out of the personnel on their own. Having strict rules about who can physically access your offices and how they gain entry can decrease the likelihood that an unauthorized individual is present to steal information. The next step is to ensure that your policy ID how physical information is stored and ruined.

Information Security Best Practices: Data Classification and Retention

Lessen your liability by classifying exactly what type of data you need and how long you need it. A breach is terrible enough, what’s worse is if data is stolen that you didn’t need to keep or shouldn’t have had to commence with. In the case of TJX (“PCI DSS auditors see lessons in TJX data breach” TechTarget March 1, 2007), many of the credit card numbers affected had no business purpose in being kept.

Information Security Best Practices: Password Requirements and Guidelines

Your employees dread having another password to remember. The more complicated the requirements you make to ensure security, the more they choose to write them down and expose them to others. Establish a strong password policy but stay within reason for your employees. Sometimes, a little additional training as to why the policy is the way it is can be all you need to gain acceptance.

Information Security Best Practices: Wireless Networking

There is no doubt that the implementation of wireless networks has saved many organizations both time and money in comparison with traditional cabling. As you choose what type of network connectivity to adopt, know that with increased flexibility allowed by wireless, a stronger encryption standard is required to ensure there is no abuse.

Information Security Best Practices: Employee Awareness Training

How well informed are your employees to identify or preclude a security incident? Each and every one of your employees can act as a member of your own security army with some simple training. The first step in recruiting them for the cause is to set the expectations appropriately and communicate those expectations in your policy.

Information Security Best Practices: Incident Response

Hands down, the worst time to make an incident response program is when you are really having an incident. You can’t undo what has happened and you’re in crisis mode dealing with the after effects of the breach.

Not the time to be putting policy to paper.

Your reputation is severely at risk, and if you respond inadequately you risk making it worse with law enforcement as well as your customers. Act as if a breach is inevitable and take the time to renovate the language and procedures you will use in the event of an incident to ensure you’re set when the time comes.

Information Security Best Practices: Annual Updates and Reporting

Don’t let all your hard work go to waste. The worst thing to do after investing time and resources into your information security program is to allow it to sit on the shelf and become obsolete. Threats and risks are changing daily and it is imperative that your policies stay up to date. Requiring an annual review, with results are reported to the Board of Directors and senior management, will help to ensure that your program remains current and can handle any future incidents.

Comments are closed.