Establishing an information security program is a complex undertaking. It is easy to get lost in the details and neglect a critical component of the program. This article focuses on high-level guidelines or tenets. Its framework can also be used to provide an overview for senior management and employees.

1. Have a focus on the information security program as a whole. Program design should start with a control framework such as ISO 27002. Frameworks are essentially information security best practices. Layer on compliance requirements and add safeguards as the outcome of risk assessments. Compliance considerations include laws, regulations and contractual obligations. Ask your attorney for support. Program documentation should include policies, standards and guidelines. Document security safeguards in a control baseline. Refer to NIST SP 800-53 as an example. It has high, moderate and low impact control annexes. Ensure compensating controls meet the intent and rigor of the original requirement. Evaluate processes and procedures by the COBIT maturity model and improve the program over time.

2. Identify and manage risk. Compliance with security regulations and frameworks is meant to address risk from a generic perspective. It is also necessary to consider risk to your specific business and operations. Consider a retail scenario where competitors are suffering payment card breaches by a sophisticated threat. Management may decide to implement an associated countermeasure given the threat, vulnerability and potential business impact. Do not try to eliminate risk entirely. Adapt your risk model as the threat landscape changes to do more with the same resources. Refer to NIST SP 800-30 and the ISACA Risk IT Framework for additional guidance.

3. Follow the data. When asked why he robbed banks, Willie Sutton's response was, "Because that's where the money is." Protecting assets starts with knowing where they are. Document where data flows throughout the company and when it is shared with third parties. Maintain an inventory of applications, databases and related systems, with mapping to sensitive data and intellectual property. Discover unstructured data through automated scans. Classify data by confidentiality, integrity and availability ratings. Refer to NIST SP 800-60 for sample ratings and impact definitions. Label consumer records with home state and country to enable compliance with privacy regulations.

4. Apply defense-in-depth measures. This tenet addresses adversaries and insider threat, inclusive of human error and social engineering. Ensure appropriate controls are in place to protect data from disclosure or modification as it flows internally and when shared with third parties. Layer on a comprehensive blend of preventive, corrective and detective controls based upon risk. For highly sensitive intellectual property or confidential information, consider strict controls such as air gaps and two-person integrity. Ensure security language is included in contracts and cannot be deleted in negotiations without risk evaluation and sign off. Design applications to adhere to consumer data sharing preferences and website privacy statements.

5. Align with business products, services and objectives. This is necessary to accomplish the goals of information security and to stay relevant within the company. Expand beyond merely protecting what is mandated, such as credit card and social security numbers. Learn how the business functions, including how revenue is generated. Align recommendations for security initiatives with threats to strategic business objectives. Protect the intellectual property of the company. Understand risk to strategic objectives, how that is quantified, monitored and mitigated. Consider embedding risk and security professionals within lines of business.

6. Anticipate, be innovative and adapt. Threats, vulnerabilities and business practices evolve over time. Focus personnel and budget where there is the greatest return on risk mitigation. Establish a function to track security advisories, research compromise trends and network with the security community from a threat perspective. When an advanced persistent threat is identified, take it seriously. Establish a process to accept, mitigate or transition identified risks.

7. Establish a culture of security. Reinforce policy and educate personnel about threats with a security awareness program. Start by asking a senior executive to send a message explaining the company has a low risk tolerance and everyone is responsible for security. Require all personnel to sign-off on security policies. Conduct training upon date of hire and repeat annually. Be mindful of your audience. Communicate in layman's terms, avoiding unnecessary use of technical terms. Speak in terms of business risk versus fear, uncertainty and doubt with no context. Include a testing component to evaluate training comprehension. Find ways to keep security topics front-of-mind throughout the year such as awareness tips sent by e-mail. Document a training plan by audience.

8. Plan for a rainy day. Low probability events occur over the course of time. Ensure critical dependencies are accounted for within business continuity and disaster recovery programs. Establish an incident response team, including preparation for denial of service attacks. In the event of a compromise, preserve forensic evidence and comply with applicable data breach notification laws. Prepare to present details of the security program in court and how it provides "reasonable" protections. Test business continuity, disaster recovery and incident response at least annually.

9. Trust but verify. Internal audit should consider control frameworks and industry best practices when determining the effectiveness of the information security program. Evaluate compliance with laws, regulations and contractual obligations. Follow data flow to ensure operational risk is appropriately identified and mitigated. Conduct penetration tests of hosts, networks, applications and physical security controls. Use social engineering assessments to evaluate the security awareness program. Conduct assessments of third parties to ensure they adhere to company standards. Evaluate processes with Failure Mode and Effects Analysis (FMEA). Establish a quality assurance program to address variation and defects within critical process steps.

10. Tell the story and exert influence. Report risk and compliance in a manner that it can be aggregated up through the company to provide an enterprise view. Include drill down capabilities to findings-level detail to facilitate remediation. Use metrics to defend the program when annual budgetary requests are due. Influence starts with establishing professional relationships with business executives. Information security and business operations have the same objectives, to ensure products and services are consistently delivered. Develop routines to ensure risk issues are clearly communicated. Send formal risk escalation reports and invite operations, risk and compliance contacts to meetings to discuss them. Track open issues in a risk registry. Document a communications plan by audience.

Business executives consider the cost of the security program; with a focus on percentage of the operating budget. They are likely to ask what will be the consequence if a given requirement is not met. The answer must be framed in terms of compliance and operational risk, within a business case. Consider strategic and reputational risk as well.

For those of you reporting to a Chief Security Officer, realize that s/he has a finite budget and looks to mitigate as much risk as possible. Align your programs and budget requests with business risk mitigation clearly identified.

Follow the data; follow the risk. An ounce of prevention is worth a pound of cure.


About the author: Gideon T. Rasmussen is an Information Security Risk Consultant with over 20 years of experience in corporate and military organizations. His websites are www.gideonrasmussen.com and www.virtualcso.com. The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers/clients.

Originally published in (IN)SECURE Magazine (June, 2011)