Elements of a Strong Information Security Program

Now more than ever, businesses are facing attacks on the digital front that threaten to steal their data and leak confidential information. Organizations today are coming to the frightening realization that they need to either invest in a proper security program or wait until the inevitable hack that puts them out of business. The first line of defense against these attacks should be a well-rounded information security management program (ISMP). An ISMP should be built according to industry best practices and consist of multiple layers of security to protect the business at every level. Below is an overview of what makes a good and effective security program.

 

Supported by Management

This item is first because it is absolutely the most important. A security program can't even get off the ground if it doesn't have the support and backing of upper management, all the way up to the CEO. Having a program that is driven by management is important for several reasons. First, there is no such thing as a good ISMP that can be built and managed on zero dollars. Good security costs money, in the form of hardware, personnel, time, certifications, and consulting. There is no way to obtain this necessary funding if upper management is not completely on board with the security program.

Also, you as the security administrator need to have the authority to implement and enforce the security program. It's highly unlikely that the entire organization will be happy about new security changes - business units will complain about extra paperwork, system administrators will be unhappy that they can no longer make changes on the fly, managers won't want to be responsible for security in their areas of the business, and so on. The business needs to know that you have the approval and authority granted by senior management to enact these changes in your environment, otherwise your efforts will be quickly shut down.

 

How do you get support from upper management, especially if your organization is not required to be compliant with regulations such as HIPAA, PCI or one of many others and management is indifferent about cyber security and views it as an unnecessary expense?

Emphasize the risk that is posed to your organization by not having a strong security program:

  • Your organization could get hacked and end up being the conduit for other organizations to be hacked as was the case in the Target breach.
  • If your organization’s data contains Personally Identifiable Information (PII) you will have to comply with State Beach Notification Laws that are now in place for 47 states.
  • Finally, if you get hacked or get a ransomware infection you could lose all of data or be faces with paying a Bitcoin ransom to recovery your data. The price of a Bitcion is over $4,000 and rising.
  • is or worse, be sold to a competitor; customers would lose trust; revenue from wary business partners would go down, and much more. Find cases where companies similar to yours have been compromised and what the financial results were. If your organization is subject to regulations like HIPAA, SOX, GLBA, or PCI, point out how a weak security program puts you in non-compliance with these requirements.

 

Aligned With an Established Framework

 

Now that you have management's blessing to make a stronger ISMP, how do you go about building it up? Fortunately, there are many frameworks and architectures to base your security program on. A couple good choices are the ISO:27001 standard which outlines the elements of a strong security program, or you can use the NIST framework that government agencies follow. Hundreds of security experts have already gone through the effort of creating the basis of a good ISMP, so it's best to use these instead of reinventing the wheel.

 

Proper Security Equipment

Of course, policies and paperwork must be backed up by the hardware that actually makes up the security program. Here is where most of the funding for your ISMP will be directed, as security equipment is expensive to buy, implement and maintain. Here is a brief description of the security devices that should be present in your environment:

  • Firewall: Prevents unauthorized connections into or out of your network
  • Intrusion Detection/Prevention Systems (IDS/IPS): Monitor network traffic for unusual patterns to detect unauthorized activity or access. Host-based IDS/IPS can be installed on individual PCs or servers to monitor those devices specifically.
  • Antivirus/anti-malware: Continuously monitors PCs and servers for malware infections
  • VPN concentrator (optional): If you have remote workers, creates a secure connection from the remote device into your corporate network
  • Demilitarized zone (DMZ): Uses network devices to create an outside-facing area of your network that is separated from the internal corporate network
  • Load balancer (optional): Spreads network requests evenly across your resources (usually servers) to ensure that no single device becomes overloaded
  • Logging system: A centralized mechanism that receives logs from all of the above devices, analyzes them and reports on unusual activity
  • Physical security measures (optional): Cameras, security card readers, fencing, lighting, guards, etc., if you have assets on-site that must be protected

Keep in mind that most of this equipment will have ongoing licensing fees in addition to the upfront cost. If you don't want to take on the expense of buying all this equipment outright, you can hire a security consulting firm - some of them will provide this equipment as part of their monthly/yearly pricing.

 

Security Awareness Training

Almost every security expert in the industry will agree that the weakest part of an organization's security is their employees. Attackers have taken to using social engineering, phishing, tailgating, and other methods which exploit a person's trust, gullibility, or poor judgment. These attacks are becoming increasingly common because they are easier and more successful than traditional hacking - after all, why spend hours trying to crack someone's password when you can call them, pretend to be the IT department, and have them give it to you directly? Or, an attacker can send a spoofed email that appears to come from the upper management of the company, requesting copies of every employee's W2 and social security number.

For this reason, it's very important to provide security awareness training to your employees so that they can recognize security risks and take the proper steps to avoid them. This training can be in the form of a software-based learning system, quarterly presentations from the security team during lunchtime, or one-on-one conversations so employees understand their role and responsibility in the security program. Whatever you decide to do, don't assume that your users understand security or know how to spot a threat when it appears. It is your responsibility as the administrator to implement and direct the organization's security training.

 

Ongoing Effort

A security program is not a set-and-forget part of the business. Hackers are constantly changing their methods, and new threats to your organization emerge every day. Yours must be a living ISMP that is continually updated and maintained according to trends and best practices in the industry. Keep yourself informed by subscribing to newsletters and bulletins from reliable sources, spending time reading discussions on security-related web forums, attending conferences and networking with other security professionals.

It seems that every day brings some new data breach or security compromise which results in a company losing their data, revenue, and reputation. Don't let that be you. Realize the need for strong security and, using the steps described in this guide, build a robust and effective information security management program to protect yourself and your business.