The best approach to developing an information security program is to use a

Regardless of the size of your business or the industry you’re in, an information security program is a critical component of any organization.

A good information security program consists of a comprehensive set of information security policies and procedures, which is the cornerstone to any security initiative in your organization. Whether you’re responsible for protected health information (PHI), personally identifiable information (PII), or any other proprietary information, having a fully developed program provides you with a holistic approach for how to safeguard and protect the information for which you are responsible.

What is an Information Security Program?

An information security program is the practices your organization implements to protect critical business processes, data, and IT assets. It identifies the people, processes, and technology that could impact the security, confidentiality, and integrity of your assets.

Building an information security program means designing and implementing security practices to protect critical business processes and IT assets. These security practices that make up this program are meant to mature over time. The process of building a thorough program also helps to define policies and procedures for assessing risk, monitoring threats, and mitigating attacks.

What Does a Strong Information Security Program Look Like?

A good information security program clearly defines how your organization will keep your company’s data secure, how you will assess risk, and how your company will address these risks. Designating an information security officer can be helpful in this endeavor to help organize and execute your information security program.

A great place to start when developing an information security program is to identify the people, processes, and technologies that interact with, or could have an impact on the security, confidentiality, or integrity of your critical assets.

Why Are Information Security Policies Important to an Organization?

As mentioned before, an information security program helps organizations develop a holistic approach to securing their infrastructure, especially if regulations mandate how you must protect sensitive data. In information security, there are what are known as the pillars of information security: Confidentiality, Integrity, and Availability (CIA).

The consequences of the failure to protect the pillars of information security could lead to the loss of business, regulatory fines, and loss of reputation. Applying appropriate administrative, technical, and physical safeguards through an information security program can help you to protect the confidentiality, integrity, and availability of your organization’s critical assets.

Let’s take a look at how to protect the pillars of information security: confidentiality, integrity, and availability of proprietary data.

Confidentiality

Maintaining confidentiality is important to ensure that sensitive information doesn’t end up in the hands of the wrong people. In order to do this, access must be restricted to only authorized individuals. Some methods that could be used to protect confidentiality include encryption, two-factor authentication, unique user IDs, strong passwords, etc.

Integrity

Maintaining the integrity of sensitive data means maintaining its accuracy and authenticity of the data. This means that sensitive data must be protected from accidental or intentional changes that could taint the data. File permissions and access controls are just a couple of things that can be implemented to help protect integrity.

Availability

Maintaining availability means that your services, information, or other critical assets are available to your customers when needed.

This doesn’t just apply to lost or destroyed data, but also when access is delayed. Developing a disaster recovery plan and performing regular backups are some ways to help maintain availability of critical assets.

By focusing on the protection of these three pillars of information security, your information security program can better ready your organization to face outside threats. For more information on how to develop your information security program, or for help developing your policies and procedures, contact us today.

The common question from Information Security professionals when implementing new programs is usually: How long will this take?

The main reason for this is that the process of building an InfoSec program is a dark art, made confusing by the myriad of different security frameworks, differing customer demands, and lack of InfoSec talent to help you figure it all out. In this blog we’ll provide guidance on the three stages of building your InfoSec program in more understandable terms, so you can get started getting more secure.

Phase 1: Define your InfoSec planWhile many organizations skip this step, this is the best place to start to save time and money in the long run, not to mention to be prepared in advance when you have to go through a customer security due diligence process. I like to think of this phase as having three main steps.Step 1: What is your goal? Are you looking to get a specific certification such as SOC 2, ISO 27001, HIPAA, etc.? Or are you simply looking to get secure based on a respected industry framework such as NIST CSF or GDPR? This is the best way to define what policies and controls you need to have.Step 2: Conduct a risk assessment. Once you have defined your goal, sit down and think about what risks your product or service presents to your clients. What is the impact if your service is compromised and client data is lost or stolen? What is the likelihood that this may occur based on your architecture and where the client’s data travels and is stored? If you can have a clear response on these questions, you will greatly improve the trust from your prospects and customers.Step 3: Document your InfoSec policies and controls. Your InfoSec program consists of two main components – policies and controls. Policies are more high-level guidelines approved by management that are “containers” for your specific security controls. Controls are the more “actionable” tasks that you can implement and prove are implemented by providing evidence. For example, a policy would be “Organization members use strong passwords” with all the requirements around password characteristics and protection standards, and a control within this policy would be “A password management system is implemented for all organization users”.Expected Time Spent: This is dependent on whether you write these controls yourself or not. Working with an automated system that offers prebuilt policies and controls and mapped to industry security frameworks will reduce this time and effort drastically.

Phase 2: Implement Information Security controls

Once you have your game plan figured out, the next phase is where your team actually implements the plan. As said above, the actionable part of your InfoSec plan is all in the controls. Most security frameworks have between 20 and 150 specific security controls. In this phase, you will want to assign these controls much like any other development or IT task and track it to ensure it is implemented. This is the most time-consuming part of the project, because you actually have to do the work—no sugar-coating things here. If you have been practicing good security hygiene, then you may be off to a head start, but odds are there are missing controls.

To make this phase faster, your team could use an automated project management system to assign, track and remind control owners to implement these controls, as they can be numerous and difficult to manage.

Expected Time Spent: This varies depending on the size of organization and security maturity level, but this is always the longest part of the process. On average, it takes InfoSec programs 3-6 months to implement all security controls for a framework such as SOC 2 or ISO 27001.

Phase 3: Prove compliance

Now you’re in the home stretch. The final phase is the exam. You’ve done all your work, and now it’s time to prove you’re secure. Proving compliance can take many forms, from responding to security questionnaires to having independent auditors attest to your InfoSec plan. The most common method is a third-party audit for a framework such as SOC 2, ISO 27001, or others.

When the auditor comes in, they’ll give you a list of “evidence requests,” or “procedures”. These are requests to provide proof that the security controls have been implemented. Evidence can include:

• Documentation of a specific policy
• Screenshots of configuration screens
• Checklists of decommissioned servers
• Sample set of event logs

If you’ve done a good job implementing your controls in Phase 2, the evidence gathering phase will be much easier. Once complete, the auditor will review your evidence and provide their opinion along with a certificate of attestation that you can share with your clients.

Expected Time Spent: Most of the time spent in this phase is in collecting evidence for controls that may have not been implemented yet, or going back and forth with the auditor on requests for more information. You can accelerate this process by using an automated audit project management system that allows you to assign and track tasks with your team, as well as collaborate with your team and auditor on any questions that come up. With a certification automation system, this phase can be completed in two months or less.

Final thoughts on building an InfoSec program

For many, the thought of building a security program or getting certified can cause anxiety. But it doesn’t have to be that way. Half the battle is having a clear plan of why you’re doing it. Once that’s clear, it’s a matter of organization and execution. OneTrust Certification Automation’s mission is to demystify this process by giving you prebuilt plan creation tools, and then automate and accelerate the process with technology. While no solid InfoSec program is built in a day, if you follow the phases above, it’s possible to have a certified InfoSec program in less than six months, which will go a long way to establishing trust with your prospects and customers.

Learn more about building out an InfoSec program and gaining compliance with a well-known framework by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.

What is the first step in developing a security program?

What is the most important component of your information security program?

What makes up an information security program?

Which of the following is most important to the successful implementation of an information security program?