Does implementing an information security program seem overwhelming? Having trouble figuring out how to get started?
The Federal Trade Commission offers several practical resources, based on the National Institute of Standards and Technology’s Cybersecurity Framework, to help businesses address security challenges.
Below are the five parts of the framework.
One reason information security is confusing is that many organizations jump straight to “what do we need?” before asking “what do we have and use that we need to protect?” and “what puts those important things at risk?” To use a familiar analogy, protecting a home with alarms, cameras/detectors, locks, safes and insurance becomes a practical endeavor only after you determine what is worth protecting, e.g., valuables, heirlooms, in-laws.
Information security is typically harder to picture or visualize simply because the “valuables” (nonpublic information — shorthand for any sensitive or confidential information you may need or want to protect) aren’t visible when stored electronically. Similarly, many security tools (such as threat monitoring, spam filters and safe internet browsing) run in the background and out of sight. So you can’t see the “cash” or what protects it.
Therefore, it is a crucial first step to understand how and where information is stored and managed while in your possession or control.
Identify the information you touch and the tools you use to manage information
List all the equipment you use, such as servers, desktops, laptops and tablets, and determine the information you collect, store and use on that equipment. This step does not require an exhaustive inventory or a detailed data map as in the first step, even though organizations will want that eventually.
Simply draw out on a piece of paper how information flows when it comes into your business. How is it received, where is it stored, who has access to it, how is it transmitted within and outside the business, what happens to it when it is no longer used or useful? Even though most information is stored electronically, do not leave physical storage out of the analysis. Identify information entrusted to third-party vendors. Below is an example of how mapping information flow helps.
Source: EDRM (EDRM.net)
Identify nonpublic information
Determine which information in your organization is nonpublic (what you need or want to protect), and understand what legal, contractual or business requirements apply to that information (why you need to protect it and the consequences for failing to protect it). For example, laws in all 50 states now require businesses to protect various types of personal nonpublic information. Your business needs to understand what personal nonpublic information it collects, from employees and consumers, and needs to have a plan to protect it.
Likewise, various federal and state laws require the protection of personal financial information, personal health information and other nonpublic information. Nonpublic information may be subject to the requirements of a contract, or may require a higher level of protection to maintain its nonpublic status, for example, intellectual property, trade secrets or business intelligence.
The identification of nonpublic information, particularly personal information, is also a necessary foundation for maintaining the privacy of that information. Any business required to comply with the European Union’s General Data Protection Regulation or the California Consumer Privacy Act must be able to identify, locate and manage personal information of various types (besides protecting that information).
Identify potential information risks
Once you know what nonpublic information you have and how you collect, store and manage that information, consider the events that might put that information — or your ability to use it — at risk. Could a ransomware attack prevent you from accessing critical information and performing necessary business activities? Would a cut fiber or a power outage during a severe weather event knock out or damage your telephone or computer systems? Do you store significant consumer personal, financial or health information that could be compromised and lead to legal and regulatory challenges? What happens if a laptop goes missing?
Identify steps to address information risks
Think through the steps to take to protect against an event and limit the damage if one occurs. This may mean backups for information and computer systems, an incident response plan or insurance.
Draft and implement one or more security policies
Create and share a company security policy that spells out the responsibilities of employees, vendors and anyone else who touches nonpublic information in practical terms. Make sure those who are expected to comply with this policy truly understand it.
To put a finer point on it, if you as a business leader are not aware of the nonpublic information you manage and what needs to be done to protect it, can you expect each employee in the organization to fulfill their roles as part of an effective security program?
Obtain cyber insurance and update coverage
Once you have identified information risks, determine whether insurance is appropriate. If your organization has cyber insurance, review your policy to determine whether coverage exists for your particular information risks. For example, policies should cover breaches in security and restoration of damaged computer systems and digital infrastructure.
Computer networks are designed to enable connections and encourage access, not to limit the flow of information or connections between networks. It is not too much of a stretch to compare modern computer networks to neighborhoods where the houses were built to allow people to move freely from one house to another. As a result, businesses must try to understand the vulnerabilities of networks and equipment as they come out of the box, and then implement protections. Some of the below in condensed form can be found here.
Protect information by limiting access to it
Because the default settings of computers and networks allow connections and access across networks, you must control who logs on to your networks and uses your computers and other devices. Apply the concept of least access privilege to your networks and your physical space so only those people who need to use nonpublic information can access it.
Protect information with security software and update that software
Use security software and make sure it updates regularly, preferably on an automated basis. Update your hardware and software regularly. Hackers systematically seek to exploit vulnerabilities in software or equipment not updated or patched. Failing to update and patch makes you an easy mark, like having a house with no front door.
Protect information by encrypting it
Consider encrypting nonpublic information at rest (while you are storing it) and in transit (as you send it and receive it). Notification laws in many jurisdictions exempt businesses from the requirement to notify individuals of an incident involving their personal nonpublic information if that information has been encrypted.
Protect information through backups
Back up information regularly, and according to a plan. Use offsite backups, especially if your business and server locations are subject to severe weather events or other disruptions.
Protect information and devices through secure deletion and destruction
Have a policy for securely disposing of information and equipment you no longer have an obligation or business reason to keep. Remember that computer equipment stores large amounts of information until that equipment is properly destroyed.
Train your people to protect your information and your business
Conduct regular information security training that covers the threats employees may encounter, emphasizing the critical role every member of the team plays:
- Remember the significant role that the “human factor” plays in security incidents and train employees to be skeptical and careful.
- Train those who touch sensitive information and assets. For example, anyone who handles or oversees electronic funds transfers must understand how to avoid Business Email Compromise (BEC) scams.
- Consider conducting a tabletop exercise to test and improve your incident response plan.
Once you’ve identified what needs protecting and developed a plan to protect it, keep an eye on your network and the people using it. Detection involves monitoring your computers and networks for unauthorized access, keeping track of your devices (like thumb drives) and knowing how your software is being used. Detection may include regular vulnerability scans and threat assessments, and making updates and changes based upon the results.
Plan for how you will respond if your business is the target of an attack or experiences an incident that affects information, equipment or your ability to conduct business. Do you have an incident response plan to guide the organization when a security incident takes place?
Reacting to an incident without a plan differs greatly from responding according to predetermined steps. Trying to figure out whom to contact in the middle of a crisis event is much more difficult than knowing whom to call in advance.
Consider how you will do these things should an incident occur:
- Keep your business operations up and running while you address an incident
- Notify customers and others whose information may be at risk
- Report the incident to law enforcement and other authorities
- Investigate and contain any attack, and restore systems to working order
After an incident, update your security policies to reflect lessons learned. Test your plan periodically even absent an event.
Restore affected equipment and parts of your network. Keep employees and customers informed about the steps you’re taking to recover.
Once you’ve experienced an incident, apply the lessons learned from it and align your incident response plan to your larger security program.
Security is an ongoing process
The framework is shown as a circle for a reason, to emphasize that the processes described are ongoing. A security program has to be reviewed and updated, and is always a work in progress.