Building an Information Security Program for the Enterprise

It is critical for all IT-dependent organizations is to establish a robust and comprehensive information security (“InfoSec”) program early on. One has only to keep an eye on the news to understand that a well-conceived program can make the difference between an organization remaining viable or finding itself on the proverbial scrap heap of history. Not only can a single security incident shake an organization to its foundations, but the lack of a proper program can, and will, result in lost business opportunities. With the emergence of new force-multiplying technologies such as artificial intelligence and the emergence of malicious state actors and “hacker corporations”, the risk levels associated with IT security have increased dramatically in recent years.

In this article I’ll present, at a high level, steps that can be taken to rapidly establish an effective information security program.

Forming the Security Committee and Identifying Strategic Security Needs

Information security exists at both the strategic and the tactical levels. The strategic level is the business of the organization’s Security Committee, and is where business needs are mapped to security initiatives, and where timelines, priorities, budgets and acquisitions are initially identified and/or approved. Strategic information security involves the organization’s Security Lead meeting periodically with C-Level stakeholders (or possibly their designates) to define broad initiatives and priorities. Topics considered should include:

  • Defining the composition of the Security Committee
  • Defining and discussing budgetary issues related to the security goals and vision
  • Defining reporting requirements for the Security Group
  • Identifying customer market sectors with special InfoSec requirements (e.g. HIPAA, FedRamp, PCI-DSS, etc.).
  • Identifying current and anticipated regulatory issues pertaining to IT security
  • Standards conformance and audit/certification goals (including FedRamp)
  • Defining the lines between security, compliance and privacy
  • Definition of a high level security roadmap with implementation time goals
  • Defining metrics to measure performance against security goals
  • Organization of the InfoSec organization (e.g. application security, security operations, etc.)
  • Use of virtual vs. dedicated teams
  • Incorporation of SIEM Technology
  • Risk Management
  • Cadence and schedule for future Security Committee meetings

The importance of identifying a SIEM strategy cannot be overstated. For many customers and prospective customers, the presence of a SIEM solution may be a prerequisite for doing business. SIEMs allow potential security indicators, such as log records indicating failed login attempts, to be captured, securely stored and automatically analyzed and correlated so as to signal potential security incidents. The key word here is “correlated”, as many organizations may choose to perform this correlation through other means (including periodic human inspection of log files). SIEM solutions have a reputation for being costly in terms of licensing as well as carrying high implementation and ongoing maintenance costs, which is why organizations may be hesitant to, at least initially, incorporate a SIEM into their security architecture.

NOTE: One alternative to a SIEM, particularly in the case of non-critical business functions, is the implementation of strong centralized logging coupled with automated scanning of those logs for the most common security events (e.g. repetitive failed login attempts). In all cases, including SIEM, the repository for log files should be automatically purged in accordance with a published data retention policy.

Risk Management

It is incumbent on the Security Committee to define the scope of the organization’s risk assessments early on. The Committee should make decisions regarding the scope of Risk Management. It is only natural for security personnel to consider Risk Assessment and Management as being limited to a review of technology risks, however risk assessments can be much broader in scope, and customers may expect such assessments to much broader, and to consider non-technical risks such as reputational damage, or other risks associated with disruption of normal business activities such as pandemics, social unrest, weather disasters or other force majeure events. The Committee should also consider the option of identifying and bringing in an accredited third party specialist to perform risk assessments.

Organizing the Security Team

Once the Security Team responsibilities have been defined by the Committee, the Security Team Lead should begin forming the team. This may involve pulling in existing personnel or hiring new personnel. Once the team has been established, then ongoing, regularly-scheduled meetings should be scheduled. Topics to be covered in those meetings should include:

  • Refining the team’s roles and responsibilities
  • Creating of a Security Team email list
  • Selecting and Standing Up a ticketing system.
  • Identifying identity and access management (“IAM”) architecture and solutions for centralized user access management.
  • Discussing issues related to cloud and infrastructure security
  • Developing requirements for a shared document repository
  • Identifying needed policy, process and procedures documents
  • Creation of a Security Team calendar
    • Scheduling of periodic user access reviews
    • Scheduling disaster recovery plan tests
    • Scheduling Security Team meetings
    • Scheduling periodic reviews of select security documents
  • Review of the Security Committee’s security roadmap and performance metrics defined by the Security Committee
  • Develop recommendations for adoption of industry accepted security frameworks and standards
  • Recommendation of security controls, tools and supporting infrastructure
  • Setting up a dedicated Security Team ChatOps channel
  • Identifying and ticketing of initial security tasks and initiatives

Standing up a Ticketing System

For the Security Team, the importance of standing up a ticketing system cannot be overstated, as Security Team and other tickets provide the evidence that an auditor will need to see as part of any future certification. Auditors are going to require a history of six to twelve months of security-related tickets.

A ticketing system for the Security Team should:

  • Allow for ticket prioritization
  • Support custom ticket types
  • Provide the ability to organize tickets into sub-tickets
  • Allow customization of ticket status
  • Support ticket type-specific workflows

Identify Documentation Tools and Standards

Because security auditors are going to want to see a multi-month (possibly as long as 12-month) history of document updates, selection of documentation tools and the definition of documentation standards should be addressed as early as possible. The obvious documentation solution is not necessarily the best. Key considerations are:

  • Does the solution have built-in user authorization for the control of document access and revision?
  • Does the solution automatically maintain a history of document revisions?
  • Does the solution facilitate concurrent access and revisions of documents?
  • Does the solution track document aging and automated document revision notification?
  • Does the solution support the export of documents to PDF format?

In addition to having a solution that facilitates the management of text documents, the organization should also consider the above requirements with regard to drawings and diagrams.

Any documentation standards should specify document format, including document headers and footers, as well as the location and format of document revision histories. Any document naming standard should differentiate between internal-only and shareable documents, and should indicate the if the document is redacted and/or shareable and the date when the document was last reviewed and reauthorized. Guidelines for the redaction of documents for external sharing should be published.

Identifying Needed Policy, Process and Procedures Documents

Whether the organization’s IT security, compliance and/or privacy policies are defined in a single document, or in multiple documents, the full scope of those documents should, at a minimum, include:

  • Security Governance
  • Security Audits
  • Geographic Redundancy
  • User Access Control and Permissioning
  • Network Security
  • Data Protection (including encryption of data at rest and in transit, encryption algorithms, encryption key requirements and encryption key management).
  • Application Security
  • Cloud Security
  • Monitoring and Logging
  • Vulnerability Management
  • Incident Management
  • Customer Notification
  • Security Patch Management
  • Third Party Rights, Management, Review and Audits
  • Data Retention
  • Data Privacy
  • Compliance (including compliance with applicable laws)

Develop a Recommendation for Adoption of an Established Security Framework(s)

It is common for larger customers to expect that any organization having access to the customer’s data adopt one or more IT security frameworks. In some cases the frameworks to be considered are dictated by the nature of the business. For example, if you process end user payments, then you should seriously consider conformance to the PCI-DSS payment card industry standard.

Security frameworks to consider are:

  • ISO-27001 - an international standard for information security management systems (ISMS).
  • COBIT - divides IT into 40 processes across five domains: Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), Deliver, Service and Support (DSS), and Monitor, Evaluate and Assess (MEA). COBIT provides maturity models, metrics, and detailed control objectives for each process, helping organizations assess and improve their IT governance capabilities.
  • NIST - a Cybersecurity framework that consists of five core functions:
    • Identify: Asset management, risk assessment, governance
    • Protect: Access control, awareness training, data security
    • Detect: Continuous monitoring, anomaly detection
    • Respond: Response planning, communications, analysis
    • Recover: Recovery planning, improvements, communications
  • CIS - 18 prioritized security actions organized in three groups:
    • Basic Controls:
    • Foundational Controls: Organizational Controls:
  • SOC2 - this report Requires an independent auditor assessment be performed. Organizations choose which of the following five criteria to include in the audit based on their specific business needs (the Security criteria are always mandatory):
    • Security - Protection against unauthorized access
    • Availability - System accessibility for operation
    • Processing Integrity - Complete, accurate, timely processing
    • Confidentiality - Data designated as confidential is protected
    • Privacy - Personal information is collected, used, retained properly
  • HIPAA - a medical industry security and privacy framework that consists of three primarily ‘rules’:
    • Privacy, including protection of the privacy of patient health information (PHI).
    • Security (includes administrative, technical and physical safeguards and controls)
    • Breach notification
  • PCI DSS - a security framework specific to the payment card industry that specifies twelve security requirements.

There is significant overlap between the scope and requirements of each of these frameworks, with CIS being notable in the more detailed nature of its security controls. It is not uncommon for an organization to either conform to the CIS framework in addition to another common InfoSec framework, or perhaps to be “informed by” CIS while complying more rigidly to another framework.

Define Roles and Responsibilities, and Handling of Support Requests

Many mid-sized and larger organizations will probably benefit from defining individual roles and responsibilities within the Security Team. Areas of specialization might include:

  • Security Operations
  • Application Security
  • Cloud Security
  • Internal Security Support

Other roles might be more transient, and may be assigned to different individuals under different circumstances. An example of this might be the role of Security Incident Manager, with the assignment varying from one incident to the next.

NOTE: Internal Support Requests often divert members of the Security Team from critical roadmap initiatives, which can have serious repercussions. One solution to this issue is to define rotating support responsibilities, so that the demands of support are more evenly distributed. Another solution might be to include in the security team a dedicated Security Support role.

Establish Incident Response, Business Continuity and Disaster Recovery Plans

It’s essential to have well-defined incident response and business continuity plans in place. These plans should outline the steps to be taken in the event of a security incident, including incident detection, containment, eradication, and recovery. Additionally, the business continuity plan should ensure that the organization can recover critical non-IT related operations.

NOTE: In years past it was sufficient for an organization to declare the Recovery Time Objective (“RTO” - the maximum time required to restore a service in the wake of a disaster) and Recovery Point Objective (“RPO” - the maximum amount of time for which data may be lost due to a disaster). Today customers may request other disaster related information such as Recovery Time Actual (“RTA” - the actual time required to restore a service).

It is not uncommon for customers and prospective customers to request also that that a Business Impact Analysis (“BIA”) be provided. The BIA is a document, or possibly a section of the Business Continuity Plan, that provides the mathematical rationale for the stated RTO and RPO numbers. This analysis often requires an evaluation of the components of a services, the dependencies between those components, and the times required to restore those individual components.

Set Up a Dedicated Security Team ChatOps Channel

A ChatOps channel for the Security Team will greatly facilitate and optimize intra-team communications and information sharing. Additionally, if the ChatOps solution selected provides an API, security controls may be configured to report possible security events to the channel, and the channel may also be used to cost-effectively meet the organization’s goal regarding security awareness.

Foster a Security-Conscious Culture

Ultimately, the success of an information security program depends on the engagement and commitment of the entire organization. Foster a security-conscious culture by promoting security awareness, encouraging employee participation in security initiatives, and ensuring that security is integrated into all aspects of the organization’s operations. In particular, have a process defined for periodically informing all employees of the security policies that affect them (many prospective customers may very well ask you to provide evidence that this is part of your security awareness program). Security awareness can also make good and economic use of email and/or chat channels.

Learning Management System (LMS) solutions, or third party LMS services, should also be considered to provide periodic security training. As is the case with several of the security measures mentioned here, customers will often ask for evidence of a security training program.

Final Thoughts

Please be aware that customer standards for information security become more rigorous and demanding each year. When, in years past, customers would be satisfied with simple yes/no answers in response to standard security questions, it is now more common for customers to require far more detailed and nuanced responses to such questions as well as to request accompanying evidence in the form of documentation and/or redacted screen captures. As the customer’s own security posture tightens they naturally expect similar controls in IT environments that may be storing or processing their sensitive data (and, trust me, ALL of their data will be sensitive!).

By following the steps outlined in this article, you should be able to start to put together a comprehensive and effective information security program that protects the organization’s critical assets, ensures compliance, and supports the organization’s overall business objectives.