Best Answers To Your Information Security Program Questions

What is Information Security?

Information Security or cyber security is defined as the protection of information systems/assets against unauthorized access to, or modification of, information. Information may be stored, processed, or in transit and may be maintained in electronic or paper form. Information Security also protects against the denial of services to authorized users and restriction of services to unauthorized users to include measures required to deter, detect, contain, respond, and mitigate threats. Information Security covers the entire organization and is considered a high priority as it is needed as a mechanism for information sharing.

Information security program objectives, approach, scope, importance, goals and principles for the organization’s security program need to be formally identified, communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader, and supported by a controls framework that considers legislative, regulatory, contractual requirements and other policy-related requirements.

Why is an information security program important?

Protecting the confidentiality, integrity, and availability of customer and sensitive protected health information, financial information, records, and transactions is critical. All customer information is considered confidential, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed. Everyone has shared responsibility to ensure that the appropriate procedures and controls are implemented and that information security remains a constant priority.

It is management’s intent to ensure that the Information Security Program supports the goals and principles of information security that is in line with business strategies and objectives. The Information Security Program should be consistent with the enterprise architecture.

To meet regulatory, contractual, and other related requirements, compliance is required to be met with all federal, state, and local laws. Consultation with legal counsel should occur when questions arise regarding the applicability of any related laws.

What are the components of an information security program?

An information security program or cyber security program should be maintained to control risks associated with access, use, storage, sharing, and destruction of sensitive customer and financial information. This program will document minimum standards of behavior for staff, contractors, and service providers and include clear guidance for the day-to-day operations. At a minimum, the program should include:

• Enterprise Risk Management Program
• Auditing and Logging
• Monitoring and Reporting
• An Effective Vendor Management Program

Generally accepted industry standards and best practices should be followed related to the security of information systems and information assets. Reasonable and appropriate policies and procedures should be implemented to comply with federal, state, and local standards as they apply to the requirements to protect information systems and information assets from unauthorized use or disclosure. A legal and ethical obligation should be in place to protect sensitive information.

How often should information security policies be reviewed?

The information security policies and any policy exceptions should be formulated, reviewed, updated, and approved on at least an annual basis to reflect best practices. The annual review, update, and approval of security policies should be based on results of management reviews, process performance/information security policy compliance; changes that could affect approach to managing information security (changes to environment, business, resources, contracts, regulations, legal, or technical); trends related to threats/vulnerabilities; reported information security incidents; and recommendations provided by relevant authorities.

Who is ultimately accountable for information security?

Information Security should be governed at the highest executive level within the organization and security initiatives are supported by management. An information security governance structure should be established to ensure an effective information security program is implemented.

The Board of Directors places high importance on information security activities and provides the necessary resources to ensure risks are mitigated to an acceptable level. A dedicated security organization should be assigned to manage the information security program of the organization.

How many information security staff do you need?

Resources should be identified as needed to implement the security program as part of the capital planning/investment request process to ensure resources are available as planned. Security requirements should be identified for information systems and as part of the capital planning/investment process, resources should be adequately allocated.

How often should you audit and
what is the main purpose of security audit?

The information security program should be formally approved and is reviewed/assessed for effectiveness on an ongoing basis and at least annually. Independent audits shall be conducted at least annually to demonstrate the information security program:

• Is approved by executive management;
• Communicated to all stakeholders;
• Adequate resources are assigned;
• Adhere to relevant regulations, legislation, and business requirements; and
• Updated as needed to meet defined objectives.

An independent review of the information security program should be initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the information security management approach. An independent review of the information security program and information security controls should be conducted at least annually or whenever there is a material change to the business practices that may implicate the security or integrity of sensitive data.

How to handle audit results?

The results of independent security program reviews should be recorded and reported to management or office initiating the review. If an independent review identifies that the approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy, management would take corrective actions.

6 most important terms you need to know in Cyber Security

1. Confidentiality – The system must ensure the confidentiality of sensitive information by controlling access to information, services, and equipment. Only personnel who have the proper authorization and needto-know can have access to systems and data. The system must include features and procedures to enforce access control policies for all information, services, and equipment comprising the system.
2. Integrity – The system must maintain the integrity (i.e., the absence of unauthorized and undetected modification) of information and software while these are processed, stored and transferred across a network or publicly accessible transmission media. Each file or data collection in the system must have an identifiable source throughout its life cycle. Also, the system must ensure the integrity of its mission-critical equipment. Automated and/or manual safeguards must be used to detect and prevent inadvertent or malicious destruction or modification of data.
3. Availability – The system must protect against denial of service threats. Protection must be proportionate to the operational value of the services and the information provided. This protection must include protection against environmental threats such as loss of power and cooling.
4. Accountability – The system must support tracing of all security relevant events, including violations and attempted violations of security policy to the individual subsystems and/or users including external connections. The system must enforce the following rules: 1) Personnel and systems connecting to the system must be uniquely identifiable to the system and must have their identities authenticated before being granted access to sensitive information, services, or equipment. 2) Each subsystem handling sensitive or mission-critical information must maintain an audit trail of security relevant events, including attempts by individual users or interfacing subsystems to gain access through interfaces not authorized for that particular purpose. This audit trail must be tamper-resistant and always active.
5. Assurance – The criticality and sensitivity of the information handled, equipment and services, and the need-to-know of personnel must be identified in order to determine the applicable security requirements. The security implementations chosen must provide adequate security protection commensurate with the criticality of the data, in accordance with the security policy.
6. Enforcement – The security policy must be enforced throughout the life cycle of the system. All implementations of security functions including those implemented at the system level must be evaluated to ensure that they adequately enforce the requirements derived from the security policy. Each platform must be evaluated to ensure that the installed system configuration enforces the stated security policy.

If you need help developing a cybersecurity program or assessing the maturity of your program, we can help. Contact us today!