Managing an Information Security Risk Program

A Managerial Approach

By Adriano Novaes, Senior Cybersecurity Consultant

Every organization should have an information security management program. The program consists of the totality of all activities and expenditures the organization takes to protect sensitive information. The program may be formal with a specific executive tasked with management responsibility, or it may be informal with activities and expenditures spent as needed. Formal or ad hoc, proactive or reactive, effective or not, every organization manages the security of its critical information.

Set the goals

The objective of an organization’s Information Security Management Program is to prudently and cost-effectively manage the risk to critical organizational information assets.

• The risk that critical information is compromised
• The risk that critical information becomes unavailable
• The risk that critical information is changed without authorization

Associated with risk is cost. Security incidents cost money. So it does prevent them. The cost, for example, of a computer virus is the loss in productivity of an organization’s personnel plus the time and expense for IT personnel to remove the virus and restore availability. The cost of a theft of a trade secret by a cyber-thief is the value of the trade secret. Implementing security also has costs. Firewalls and other security technology take capital away from other uses. Information security personnel come at the expense of personnel who can directly more contribute to the bottom line. And every hour management spends in a security meeting, or personnel spend on security awareness training, is an hour that could otherwise also contribute to the bottom line.

Requirements for an Information Security Management Program

The drivers behind an organization’s information security management program are the evolving landscape of laws, regulations, and competition, as well as evolving information security “best effective” practices. Organizations that hold personal, financial or health information of others are required to adhere to various federal and state laws and regulations. These include

• HIPAA (electronically protected health information)
• Sarbanes-Oxley
• GDPR – General Data Protection Regulation

Organizations may also have various contractual requirements for information or data security. Credit card processors, for example, must conform to the Payment Card Industry Data Security Standard.

As organizations come to more deeply understand the competitive value of the information stored in their computer networks and the need to make that information securely available anytime and anywhere, they discern the need for a formal information security management program to assure that information is kept confidential, available, and correct.

As organizations have increasing needs to share information with suppliers, customers, and other business relations they are increasingly becoming concerned with the information security capabilities of these third parties.

An organization’s information security management program must be built upon current and emerging information security “effective best-practices.” As the information security industry has evolved, the industry has tended to settle on three distinct models as to what constitutes a set of “effective best-practices” for managing the security of information:

• ISO-27001 Specification for an Information Security Management System
• ISO-27002: Code of Practice for Information Security Management
• ISACA: Information Security “Management Maturity Model”

Managing the Security of Critical Information Assets

Information Security Control Objectives

While the prevailing ‘consumer perspective” of information security is that it is concerned with protecting the confidentiality of sensitive information.

The control objectives recognize that it is not enough to put all of one’s security resources on protecting information. Information is under stealth attack and it is only prudent to commit resources to detect attacks and to be sure that one can recover from attacks. And while compliance is linked to protect, detect, and recovery controls, it requires management oversight and corporate resources as well.

Information Security Critical Success Factors

Information security has seven Critical Success Factors which must be implemented if an organization is to meet its information security control objectives.

1. Executive Management Responsibility: Senior management has responsibility for the firm’s information security program, and this program is managed in accordance with the enterprise’s information security policies.
2. Information Security Policies: The enterprise has documented its management approach to security in a way that complies with its responsibilities and duties to protect information.
3. User Awareness Training & Education: Information users receive regular training and education in the enterprise’s information security policies and their personal responsibilities for protecting information.
4. Computer and Network Security: IT staff and IT vendors are securely managing the technology infrastructure in a defined and documented manner that adheres to effective industry information security practices.
5. Physical and Personnel Security: The enterprise has appropriate physical access controls, guards, and surveillance systems to protect the work environment, server rooms, phone closets, and other areas containing sensitive information assets. Background investigations and other personnel management controls are in place.
6. Third-Party Information Security Assurance: The enterprise shares sensitive information with third parties only when it is assured that the 3rd-party appropriately protects that information.
7. Periodic Independent Assessment: The enterprise has an independent assessment or review of its information security program, covering both technology and management, at least annually.

Management Control Domains

These seven critical success factors play themselves out across three fundamental management control domains:

1. IT Infrastructure Security: Control elements in this domain identify specific point-in-time technical information security countermeasures. Examples include the security architecture; firewall rules; technical access controls; backup status; use of encryption; virus, worm, Trojan horse prevention; current patch levels; intrusion detection capabilities; etc.
2. Secure IT Management: This control domain contains information security management controls specific to managing the Information Technology infrastructure. Control elements in this domain include documentation of IT systems, procedures, etc; management of systems development and maintenance processes, including change control; incident response and disaster recovery planning; IT staff education; IT vendor security; etc.

3. Entity Security Management: This control domain contains management controls hierarchically “above” and outside of the management of the Information Technology infrastructure. Control elements in this domain include the chief information security officer, information security policies, employee education, and awareness training, business process security, physical security, personnel security, etc.

Managing an Information Security Structure

CISO

As an information security leader, It is expected to:

• Take a systematic approach to IT security
• Determine which risks have the most impact on your organization and protect the assets that matter most
• Proactively mitigate risks and minimize damage from cyber-attacks and data breaches
• Ensure your organization can recover from security incidents faster and more easily
• Justify investments in IT security to the board of directors

Information Security Steering Committee

The CISO is supported by a cross-functional Information Security Steering Committee. In order to make sure that information security leadership and management extend across the organization, Steering Committee members need to include senior representatives of marketing, sales, operations, HR, finance, and IT. A formal appointment to the Information Security Steering Committee is made by the COO in consultation with the CISO.

Stablishing an Information Security Culture

The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While information security policies, and awareness training program and the other required information security practices can define, regulate and impart information security knowledge these rarely have a significant impact on people’s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.

Develop a risk assessment process

Risk assessment is an important part of any cybersecurity risk management plan. It is important to have in mind the following points, as found as below:

• Identify all your company’s digital assets, including all stored data and intellectual property
• Identify all potential cyber threats, both external (hacking, attacks, ransomware, etc.) and internal (accidental file deletion, data theft, malicious current or former employees, etc.)
• Identify the impact (financial and otherwise) if any of your assets were to be stolen or damaged
• Rank the likelihood of each potential risk occurring

Speed as an action

When a security breach or cyberattack occurs, an immediate response is required. The longer it takes to address the threat, the more damage may be done. Studies show that 56% of IT managers take more than 60 minutes to get information about an ongoing cyberattack. But a lot of damage can be done in an hour.

The speedy reaction must be a part of your security-forward culture. That means you need to develop an early recognition of the potential risks, immediate identification of the attacks and breaches, and rapid response to security incidents. When it comes to risk containment, speed is of the essence

Incident Response Plan

Last but not least, It is required to develop an incident response plan, focusing on the priority of risks previously identified. You need to know what you need to do when a threat is detected—and who needs to do it. This plan should be codified so that even if an incident occurs after you’ve personally left the company, the team currently in place will have a roadmap for how to respond.

About the Author

Adriano Novaes is a senior cybersecurity consultant with more than 15 years of experience in the Cybersecurity space.  He is experienced in Governance, Risk and Compliance, and strong expertise in information security projects involving IT Risk Management, Network Security, IT vulnerability management besides providing security advice in information assets to Brazilian and international companies across the world. Adriano has worked in multiple projects from different clients in Brazil, Africa, and The United States. He is graduated in Network Technology and certified as a Cybersecurity specialist by the Georgia Institute of Technology in the US. Adriano Novaes can be reached out online at [email protected] or https://www.linkedin.com/in/adrianonovaes