IT Security for Growth: De-mystifying Policy, Security & Business Viability
Guest Post by Dave Chronister - CISSP, CISM, CISA | MoCannTrade Platinum Member | Parameter Security
Changing the Focus
Information security is not just about complying to laws and regulations or choosing the right server, data center or encryption method. Let’s not think about it as “cyber security” or an “add-on.” Instead of seeing it as a series of hoops to jump through, think about the security of your business as essential to your success as the quality of your product. Since you would not leave the quality of your project up to chance, don’t then leave the security of your whole business up to chance either.
You could, instead, focus on designing a Security Program. A Security Program is unique to your business, designed to comply with laws and regulations, set long term goals and give clear direction toward maintaining the day-to-day running of your business.
A Security Program is proactive, not reactive.
Essentially, it helps your business survive and thrive.
Your Security Program doesn’t just help you adhere to regulations, it should also make your business run more smoothly and efficiently.
What is a Security Program?
In essence, a Security Program is a plan on how to run your business in order to make it more viable.
Your Security Program is a holistic approach that determines how your business runs and includes goals to protect life and ensure the viability of your business. It is a series of policies, standards and procedures which help your business run smoothly and reduce risk. A security program is not an app., where you store your data or who has access. It does not begin and end with Tech.
Now it is important to note that you will never be 100% secure and you cannot ever eliminate risk. There will always be risk. Instead, you need to determine what is an acceptable risk for your organization. Factors such as regulations, laws and internal business goals and requirements will help you determine your organization’s acceptable risk.
How is a Security Program created?
A Security Program consists of Policies, Standards and Procedures. Simply put, it is a set of policies that document and dictate how your business runs. It covers business rules, technology, tools, and processes. A Security Program has three basic tiers.
Top Level Policies
This is management’s requirements on how to run your business. These are short, don’t change over time, they are measurable and responsibility and recriminations for violations are clearly defined (up to/include termination). Example of an encryption policy: “In order to provide adequate security our organization will employ strong encryption methods.”
Standards
Standards define the technology and tools which implement the top level policies. They are designed to meet the requirements and evolve as technology changes. Example of a standard: “Our company uses AES cipher to protect our sensitive client data.”
Procedures
These are step-by-step instructions on how to implement a standard. For example, you may have a procedure to encrypt data using the AES encryption cipher. Good procedures are simple, and intuitive so that your employees can be consistent in their application.
Tips to write more useful Policies:
- Use concise, clear language. Avoid legalese, biblical “thou shalt..”
- Have your subject expert write them (IT policies should be written by your IT expert, etc.)
- They should be reviewed and updated as needed. (Minimum: annual review.)
- Centrally stored. (Ideally in a GRC portal.)
Incidents Happen
What is an incident? Anything that compromises the integrity, confidentiality and availability of your business Security Program. You may have heard of a data breach. That is a particular type of incident which compromises the confidentiality of your data.
Incidents will happen, whether malicious or accidental. All anyone can do is proactively plan for incidents so that, in the event that they occur, you know what to do and there is less impact on your business.
Here are a few areas of consideration when creating your incident response policy.
- investigating the Incident- Who is going to investigate and collect court-grade evidence? Do you have audit logs to provide visibility during the investigation? Do you know where your data is so that you can determine what has been compromised?
- Legal - Do you have an attorney who understands the current data laws and regulations and who can also provide guidance on disclosure of an incident? (Data Privacy Attorney)
- Communication - How are you going to convey appropriate and approved communications during and after an incident? Who is your spokesperson? How are you going to control and convey messaging during a crisis? If a breach has been found, how will you provide customer notification in the legally-required timeframe? (Notification laws are not uniform across the U.S.)
- Financial - Do you have contracted rates for third-party vendors who will support you during and after an incident? Do you have cyber-liability insurance?
Security Programs can seem daunting. My experience in the industry has proven that a business should not wait until a Security Program is perfect, rather start and continue to revise and re-evaluate. A healthy Security Program will define and support your business requirements and strategy, ultimately helping you run a more successful business.
Dave Chronister - CISSP, CISM, CISA is founder and CEO of Parameter Security. Parameter helps those in the medical marijuana industry create, maintain, and provide compliance validation with their Security Programs and digital forensic/incident response services.
