Intimidated by Information Security? Use a Framework to Develop a Program
Does the idea of implementing an information security program seem overwhelming? Having trouble figuring out how to get started?
The Federal Trade Commission offers a number of practical resources, based on the National Institute of Science and Technology’s Cybersecurity Framework, to help businesses address their security challenges.
Below is a brief overview of the five parts of the Framework.
Identify
One reason information security is confusing is that many organizations jump straight to “what do we need?” before asking “what do we have and use that we need to protect?” and “what puts those important things at risk?” To use a familiar analogy, protecting a home with alarms, cameras/detectors, locks, safes, and insurance becomes a practical endeavor only after you determine what is worth protecting (valuables, heirlooms, in-laws, etc.).
Information security is typically harder to picture or visualize simply because the “valuables” (nonpublic information — shorthand for any sensitive or confidential information you may need or want to protect) aren’t visible when stored electronically. Similarly, many security tools (such as threat monitoring, spam filters, and safe internet browsing) run in the background and out of sight. So you can’t see the “cash” or what protects it.
Therefore, it is a crucial first step to understand how and where information is stored and managed while in your possession or control.
Identify the Information You Touch, and the Tools You Use to Manage Information
Make a list of all the equipment you use (servers, desktops, laptops, tablets, etc.), and determine the information that you collect, store and use on that equipment. And I am not talking about an exhaustive inventory or data map as the first step (even though you will want that eventually).
Simply draw out on a piece of paper how information flows when it comes into your business: how it is received, where is it stored, who has access to it, how is it transmitted within and outside the business, what happens to it when it is no longer used or useful, etc. Even though most information is stored electronically, certainly don’t leave physical storage out of the analysis. Identify information that is entrusted to third-party vendors.
Identify Nonpublic Information
Determine what information in your organization is nonpublic (what you need or want to protect), and understand what legal, contractual, or business requirements apply to that information (why you need to protect it and the consequences for failing to protect it). For example, laws in all 50 states now require businesses to protect various types of personal nonpublic information. As a result, your business needs to understand what personal nonpublic information it collects- from employees and consumers — and have a plan to protect it.
Likewise, various federal and state laws require the protection of personal financial information, personal health information, and other nonpublic information. Nonpublic information may be subject to the requirements of a contract, or may require a higher level of protection in order to maintain its nonpublic status (for example intellectual property, trade secrets or business intelligence).
The identification of nonpublic information, particularly personal information, is also a necessary foundation for maintaining the privacy of that information. Any business required to comply with the European Union’s General Data Protection Regulation or the California Consumer Privacy Act must be able to identify, locate, and manage personal information of various types (in addition to protecting that information).
Identify Potential Information Risks
Once you know what nonpublic information you have and how you collect, store, and manage that information, consider the events that might put that information — or your ability to use it — at risk. Could a ransomware attack prevent you from accessing critical information and performing necessary business activities? Would a fiber cut or a power outage that took place during a severe weather event knock out or damage your telephone or computer systems? Do you store significant amounts of consumer personal, financial, or health information that could be compromised and lead to legal and regulatory challenges? What happens if a laptop goes missing?
Identify Steps to Address Information Risks
Think through the steps to take to protect against an event and limit the damage if one occurs. As described below, this may mean backups for information and computer systems, an incident response plan, or appropriate insurance.
Draft and Implement One or More Security Policies.
Create and share a company security policy that spells out in practical terms the responsibilities of employees, vendors, and anyone else who touches nonpublic information. Make sure that your policy is understood by those who are expected to comply with it.
To put a finer point on it, if you as a business leader are not fully aware of the nonpublic information you manage and what needs to be done to protect it, can you really expect each of the employees in the organization to fulfill their roles as part of an effective security program?
Protect
Computer networks were designed to enable connections and encourage access, not to limit the flow of information or connections between networks. It is not too much of a stretch to compare modern computer networks to a series of neighborhoods where the houses were built to allow people to move freely from one house to another. As a result, businesses must take steps to understand the vulnerabilities of networks and equipment as they come “out of the box,” and then implement appropriate protections. Some of the below in condensed form can be found here.
Protect Information By Limiting Access to It
Because the default settings of computers and networks allow connections and access across networks, you must control who logs on to your networks and uses your computers and other devices. Apply the concept of “least access privilege” to your networks and your physical space, so that only those people who have a need to use nonpublic information can access it.
Protect Information with Security Software and Update that Software
Use security software and make sure it updates regularly, preferably on an automated basis. Update your hardware and software regularly. Hackers systematically seek to exploit vulnerabilities in software or equipment that has not been updated or patched. The failure to update and patch makes you an easy mark- like having a house with no front door.
Protect Information by Encrypting It
Consider encrypting nonpublic information at rest (while you are storing it) and in transit (as you send it and receive it). Notification laws in many jurisdictions exempt businesses from the requirement to notify individuals of an incident involving their personal nonpublic information if that information has been encrypted.
Protect Information Through Backups
Back up information regularly, and according to a plan. Use offsite backups, especially if your locations are subject to severe weather events or other disruptions.
Protect Information and Devices Through Secure Deletion and Destruction
Have a policy for securely disposing of information and equipment you no longer have an obligation or business reason to keep. Remember that computer equipment stores large amounts of information until that equipment is properly destroyed.
Train Your People to Protect Your Information and Your Business
Conduct regular training in information security and the threats employees may encounter, emphasizing the critical role every member of the team plays. Keep in mind the significant role that the “human factor” plays in security incidents.
Detect
Once you’ve identified what needs protecting and developed a plan to protect it, take steps to keep an eye on your network and the people using it. Detection involves monitoring your computers and networks for unauthorized access, keeping track of your devices (like thumb drives), and knowing how your software is being used. Detection may include vulnerability scans and threat assessments on a regular basis, and making updates and changes based upon the results.
Respond
Plan ahead for how you’ll respond if your business is the target of an attack, or experiences an incident that affects information, equipment, or your ability to conduct business. Reacting without a plan is very different from responding according to a series of predetermined steps. More specifically, trying to figure out whom to contact in the middle of a crisis event is much more difficult than knowing whom to call in advance.
Consider how you’ll do the following things should an event occur:
- keep your business operations up and running while you address an event;
- notify customers and others whose information may be at risk;
- report the event to law enforcement and other authorities; and
- investigate and contain any attack, and restore systems to working order.
After an event, update your security policies to reflect lessons learned. Test your plan periodically even in the absence of an event.
Recover
Restore affected equipment and parts of your network. Keep employees and customers informed about the steps you’re taking to recover.
Conclusion: Security is an Ongoing Process
The Framework is shown as a circle for a reason: to emphasize that the processes described are ongoing. A security program has to be reviewed and updated, and is always a work in progress.
