In a previous article on Information Security and Compliance Explained I presented a good workable definition for information security and in The Top 10 Things Every CEO Needs to Do I demonstrated that all CEOs have a role to fulfill and that there are specific actions required of CEOs.
In this months article within the CEO Information Security Training Series, I cover how to start building a solid information security program. A solid information security program will lay the foundation that will ensure that your business information, and the information belonging to your customers will be adequately protected. Article three, Part I and II is about establishing a structure for information security that will allow the experts to protect your business while providing you with the information you need to run your business.
I have said this before, but I’ll remind you again; CEOs don’t need to be information security experts, but they do need to be involved.
At the end of this chapter, I will also present an example and contrast two organizations. One organization that has chosen to start and manage and information security program the right (and maybe the only) way, and another that is still struggling to get it right. I encourage you to read this entire chapter in order to get the value it can provide.
Everything lasting and meaningful in business starts with leadership, and leadership starts with you.
I have built enough information security programs over the past 20 years to know that there is one thing that is more important than any other, and that is leadership. Without leadership, buy-in, and active endorsement from executive management, any legitimate efforts to secure information are doomed to failure. Leaders who take information security seriously can, and do, speak about information security within their organizations. Leaders who take information security seriously:
- know what their most significant risks are
- know how much information security costs them
- know how information security helps them retain customers and attract new ones
- know that information security goals and objectives are aligned with the organization’s goals and objectives
- lead by example through compliance with policies and involvement in key initiatives
Starting an information security program starts with you. As the CEO of your organization, if you are not prepared and willing to participate in information security, then your organization probably isn’t ready to start an information security program; at least not in a way that will be most effective for your organization or its customers.
Effective information security leadership begins with commitment. The commitment must be:
- Documented. Your commitment to information security must be documented in policy, but should also be documented in marketing materials and customer agreements.
- Verbally communicated internally and on occasion externally. Internal communications can include mentioning information security in corporate meetings and gatherings.
- Demonstrated through action. Actions can include establishment of the information security program, setting a dedicated information security budget, enforcement of policy provisions, and many others.
If you feel that you are ready, then what’s next?
As the CEO of your organization, you don’t have time to run the day-to-day functions of an information security program. The first step to building an information security program is to establish governance. Who will be responsible for what?
Information security governance consists of determining who within your organization will be responsible for what. Start with defining how information will flow for the information security program; both strategically and tactically. In Figure 1 above, the arrows depict how information flows through a typical information security program. The darker the arrow is, the more tactical the information is. Each level of governance within the information security program should be associated with a specific set of responsibilities.
We could devote an entire book to the topic of information security governance, but the focus for this series is on you, the CEO. In this article, we’ll concentrate on the roles below yours because these are the roles that you are most responsible for filling:
- Information Security Committee
- CISO, ISO, CIO, etc.
- All employees, contractors, vendors, and 3rd-parties
It’s important to note that the governance for your information security program may differ slightly from the one depicted here, but the concepts are identical. It doesn’t matter if there are additional layers in your information security governance or less. What matters is that there is a governance structure and it defines roles, assigned responsibilities, accountability, and communication for your information security program.
Arguably the most important feature of effective information security governance is communication. Communication between all roles must be regular and transparent.
According to a recent study by the Ponemon Institute, nearly one third of IT security teams never speak with company executives about information security. Equally as bad, only 23 percent of those who have spoken to company executives, only do so once per year. Jeff Debrosse, director of security research at Websense, predicted that the “31 percent will, at some point, find themselves on the front page”.
Mr. Debrosse’s prediction is spot on. Good governance results in good communication.
Information security committee
Committees have a bad rap. Most committees get a bad rap because they have been poorly organized, poorly attended, and poorly directed. The Information Security Committee must buck this trend through:
- A documented charter containing:
- Documented meeting agendas
- Documented meeting minutes
Common responsibilities for the Information Security Committee could include:
- Formulate, review, and recommend information security policy
- Review the effectiveness of policy implementation
- Provide clear direction and visible management support for security initiatives
- Initiate plans and programs to maintain information security awareness
- Ensure that security activities are executed in compliance with policy
- Identify and recommend how to handle non-compliance
- Approve methodologies and processes for information security
- Identify significant threat changes and vulnerabilities
- Assess the adequacy and coordinate the implementation of information security controls
- Promote information security education, training and awareness throughout the organization
- Evaluate information received from monitoring processes
- Review information security incident information and recommend follow-up actions
The Committee communicates regularly and periodically with the CEO, and with the person who has many of the day-to-day responsibilities (CISO, ISO, CIO, etc.).
The Committee must be staffed with personnel who can speak for parts of the organization with authority and personnel who can serve as advocates for information security initiatives. Ideal personnel for Committee membership are business unit leaders, and an ideal size for the Committee is 6 – 8 members.
CISO, ISO, CIO, etc.
This is the person with day-to-day information security responsibilities. It doesn’t matter is this person’s title is Chief Information Security Officer, Information Security Officer, Chief Information Officer, or Director of Information Technology. This is the person who is responsible for ensuring that management’s (ultimately yours as CEO) direction with respect to information security is carried out in compliance with policy. The responsibilities must be documented, communicated, and measured.
Some typical responsibilities may include:
- Ensure compliance with applicable information security requirements
- Ensure preparation and maintenance of plans and procedures to address continuity of operations for information systems that support the operations and assets of the organization
- Ensure that the organization has trained its personnel to support compliance with information security policies, processes, standards, and guidelines
- Report annually, in coordination with the senior managers, to the Information Security Committee on the effectiveness of the Information Security Program, including progress of remedial actions
- Head an office tasked with the mission and resources to assist in ensuring organization’s compliance with information security requirements
- Assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
- Develop and maintain information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each organizational information system
- Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems
- Ensure that company personnel, including contractors, receive appropriate information security awareness training
- Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities
- Implement and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the organization
- Develop and implement procedures for testing and evaluating the effectiveness of the Information Security Program in accordance with stated objectives
- Review and manage the information security policy waiver request process
In essence, this person takes the direction from the CEO and Information Security Committee and implements it.
All employees, contractors, vendors and third parties
Everyone has a role and responsibilities with respect to information security. Information security is not and IT issue and participation is not limited to IT personnel. Initially, responsibilities may be as simple as:
- Understand all of the information security policies that make up the information security program
- Use organizational information and other information-related resources in compliance with all Information Security Policies
- Seek guidance from the information security committee on information security related matters that are not clear
- Communicate with the members of the information security committee regularly by providing feedback
These responsibilities may seem like common sense, but then again, there is no common sense in information security.
In part two of this subject I will discuss how to start a security standard, creating policies and the policy approval process.