First we need to understand -- What is a Security Program?
A security program is a set of actions and documents which outline what and how the organization is securing sensitive information. The end goal of a security program is to establish clear and concise metrics and goals which will allow your organization to adapt to new threats and identify weaknesses, in the ever-changing environments.
MY RECOMMENDED APPROACH The first step of a security program is to define the program itself in what is called a security plan. The security plan is simply the identification of what is going to be secured, responsibilities, and direction. We’re going to be speaking with stakeholders (leadership, data owners, users, etc.) to identify what sensitive information exists and where.
When speaking of responsibilities, we’re not speaking of who is responsible for securing what data but, rather **who is responsible to establish, test, and maintain the program. ** There needs to be leadership buy-in for the security program to be successful as the inevitable change that will occur is rarely comfortable.
**The ship is doomed to failure is there is not an end goal in mind. **“Total security by December” is not an end goal. Direction is more the ‘how’ than the ‘what’. How is your plan going to be tested, implemented, designed? What are you going to compare your security against? What are the goals of implementing the security program? These are questions that should be answered by the security plan.
Next, we have the documentation that defines how we take the security plan from a concept to action. This step includes items such as: policies, which define what should be done; procedures, which define how what should be done is done; and checklists, which ensure that what should be done is done correctly. This will honestly take the most time as it will require a change in corporate, user, and system behavior.
However, a penetration test by itself isn’t giving you the whole story as we saw above. What should be implemented before a penetration test, and quite frankly before the entire process is started, is the 'Security Assessment.'
This process will provide feedback on:
� How effective your training program is,
� What holes you have in your administration processes,
� How enacted policies may not cover potential use cases
� and, many more areas for improvement.
Taken together with a comprehensive suite of assessments, a penetration test will provide a complementary data set informing you of how well you are securing your organization’s data.
Finally, we establish 'Metrics' to test that what we have in place is effective in its effort to secure the environment. This is where a penetration test comes into play.
Whether you’re looking to build a cybersecurity program from the ground up, or simply looking to strengthen your existing processes, you would be better off, if you follow these steps:
**1. Build information security teams **
Creating a security program plan isn’t a one person job. It takes an entire team of people working together. In this case you’ll need two teams:
• The executive team – The senior-level execs in the business responsible for setting the mission, objectives, and goals for the program. They are tasked with building the policy and pushing it throughout the organization.
**• The security team **– The IT professionals responsible for managing daily IT security operations, threat and vulnerability assessment, and IT controls.
2. Develop The Security Plan (explained above).
3. Take inventory of your information assets
Your teams will conduct a total inventory of hardware, applications, databases, networks and systems. After that is done, every IT asset must be given an owner and custodian who’s responsible for the asset and its data.
4. Determine your regulatory compliance and standards
Your organization may be legally required to follow one or more cybersecurity compliance practices. This could be anything from HIPAA, HITECH, or PCI. Once the executive team has determined which regulatory standards you have to follow, you can get to work.
5. Identify threats, vulnerabilities, and RISKS
What are the threats to your information assets? It’s vital that every significant threat is identified, categorized, and ranked by priority. Similarly, vulnerabilities—flaws in the system—also must be listed and ranked. Finally, risks that could jeopardize the organization’s ability to operate because of threats and vulnerabilities have to be considered.
The goal of this stage is to either minimize or eliminate a risk, starting with those that pose the gravest danger to your organization and are the most likely to occur. Regardless of likelihood or threat, some risks may be harder to address than others.
7. Build an incident management and disaster recovery plan
Incidents could encompass a wide range of circumstances that cause the loss, interruption, or deletion of assets or data. A smart incident plan details every possibility. It then outlines the steps needed to minimize the damages and get your operations back up and running in as little time as possible.
As discussed above, there are hundreds of security controls that you can put in place in order to reduce or eliminate the various risks you face. This touches a wide range of topics, including access controls, hardware and software safeguards, security policies, operational procedures, and personnel training.
Once you’ve built your information security program plan, you’ll have to enforce it. The safeguards don’t mean a thing if the employees aren’t following your best practices. All it takes is one weak link to threaten your entire organization, so this step can’t be taken lightly.
10. Periodically conduct audits
The only way to know the efficacy of your plan is to test it frequently. Internal audits or external audits are among the best ways that you can ensure that the policies and procedures in place are working, comply with regulations, and are being updated regularly.
Cybersecurity is not a once-a-year project; it’s a daily process. As the technology landscape continues to evolve, making sure your organization is protected against the latest threats is important.
To learn more about all the options available to you for meeting your organization’s data protection and network security requirements (including security posture and risk assessments, and awareness training and employee education programs) .... plus comparisons of 100s of best-in-class network security / cybersecurity providers and what they have to offer ... simply ask us at Network Security. It's as easy as 1, 2, 3.
Labels: CIO, CISO, Cybersecurity, Cybersecurity Program, data security, Network Security