Nine Steps To Creating An Information Security Plan
Global IT provider, Eze Castle Integration, has been running an educational program for October’s ‘Cyber Security month’ and on Thursday, October 4th, hosted a webinar entitled ‘9 Steps to creating an Infosec plan’. AlphaWeek is publishing edited transcripts of these webinars. The speakers are Matt Donahue, Business Continuity Consultant, and Steve Banda, Senior Product Manager, moderated by Olivia Munro, Senior Marketing Specialist.
Nine Steps to Creating an Infosec Plan
Matt Donahue: I review a lot of different types of information security plans. They come with different titles and names, but typically they include a collection of different policies, procedures and guidelines. Policies should be high level and don't need to get granular. They should be relatively static. Procedures and guidelines tend to be more dynamic, and they should because they are based around the people, process and technology, and as those things change within a firm, so should the procedures and the guidelines.
When you are developing a plan or re-evaluating it, finding a template online is going to be helpful in putting it together but it needs to be customised to your actual organisation and to the expectations of certain activities that are going to be completed without it. There are a lot of things that need to be reviewed and maintained, and it's not something that can happen overnight, so it does take work.
Step 1: Regulation and Industry Best Practice
The first step in developing it is to start with the requirements and what you need to do based on the regulatory landscape that you face. A lot of firms are going to be subject to regulation by different federal or international bodies or agencies. Understanding all these different kinds of considerations and their requirements is key. Different types of authorities, in different industries within different jurisdictions have certain requirements that your business might be subject to. It’s a layer that you're going to have to examine to make sure that you're on the same page.
There are other industry-specific self-regulatory or self-imposed groups that have different practices or requirements for both information security and continuity that you should be aware of. A lot of the pressure that a lot of firm’s face comes from the external pressures from investors or auditors or external parties. They're asking about these different types of activities that you may or may not be doing. They're requesting that you do some of these other types of services or activities. There's a lot of pressure coming in, not only from the regulatory bodies, but also from external pressures that are not specifically a regulator.
Step 2: Internal Responsibilities
Once you have a good understanding of step 1 it's also good to look at responsibility within your own firm; who is going to supervise this and who is going to be responsible for it? Governance oversight is really about the responsibility, but a lot of this has to do with expectations, both within your own firm within the various roles as well as some of the different parties that you work with. Initially, you should look at who's going to be responsible for these plans, these programs, and the different activities that happen, so that you can create a schedule of the different things that you want to have happening throughout the year, like your annual reviews.
Having specialized teams of people being aware of what they need to be doing during these time periods is critical for communicating correctly if there are any issues. A missed communication could mean that different threats can go undetected for longer periods of time. Another thing to consider is your expectations of vendors or service providers because if there's an incident that might impact their firm, you're going to want to know how they're going to communicate with you, what the expectations are in terms of service level agreements and making sure that everything is covered. If a critical tool that you use is down, you want to work with those groups that are going to be responsive, so it's about making sure that everybody is aware of the responsibilities and the expectations on both sides.
Step 3: Asset Inventory
Take an asset inventory. When I mean assets, I'm talking both hardware, like physical devices, and software, like systems and different applications. It's really just taking a look and seeing what you have. This should be something that is kept up to date as frequently as possible. Tools are available for this; some are a pay for service and some of them are community, or free online. They can help you to manage this process with some continuous type of cadence.
You don't want to have people with different types of hardware that you're not aware of attached to your network or different types of software that they might be downloading; essentially, anything that you can't account for, because you can't determine what the risks might be. Even if it’s coming from a good source, those are the things that you want to control and avoid, and not allow people to bring into your network or into your firm.
Taking an asset inventory allows you to prioritise them. Talk about the criticality to the business; classify them accordingly. This helps not only from an organisational standpoint, but also in determining risk.
Understanding the value to the business of all of your assets enables you to determine what that asset value is on an annual basis. Depending on what it's used for, you then can make more informed decisions regarding risks or disruptions to your business that might be caused from either cyber security-type events or from other events like a continuity issue. It's good to have some metrics in that place around that.
Step 4: Data Classification
You should be classifying the different information that you collect, share, and have obtained, whether that is personally identifiable information, protected health information, not-public information, even financial data. Some of these data might not be defined in the same way in the same place; different jurisdictions have different definitions. It's important to know what those definitions are and how that information is handled internally at your firm.
You should also look at where this information resides within your organisation. How is it brought into your organisation? How is it managed? What retention policies might be in place? Who has access to it? Oftentimes, once you can classify it, you can come up with a process and role-based access privileges so that people who shouldn't be accessing the data cannot.
Once you have achieved this, you can audit it. One option to do that is to run a tracer, so if you're looking at a business process or a data type you can see where it would come into your organisation and where it stays. Again, retention policies should be in place.
Working on a unit-by-unit type of approach is also recommended because there's a lot of work that goes up and downstream. One department may not realise that another department is using the same information and is storing it in different locations. Working with the different business owners and different groups is a good way to help ensure that everything's accountable up and down the line.
Step 5: The Available Security and Safeguards
Steve Banda: The classification and protection of data is an essential part of the security plan, but the variety of technology systems needed to protect data can seem overwhelming.
One way to think about this is to apply different layers of protection. It's important to keep in mind your evaluation of your organisation and where there may be gaps within your organisation relative to this.
First, there is the perimeter network security; antivirus, patching, email security, spam filtering solutions, firewalls, etc. This could also encompass your intrusion detection or prevention systems. These are the perimeter network security components to keep in mind.
Next, you will have your access control measures. You need to make sure that you have secure remote access when connecting remotely from outside the office. Additionally, by utilising a mobile device management tool (MDM) you can ensure that if a mobile device is lost or stolen, your IT firm or your firm can remotely wipe the device, preventing data from being compromised.
Then you want to have the balance between your written safeguards and your technical safeguards and the controls that you implement. Document the procedures and the technical safeguards; they work together and support one another, enhancing your plan as a whole.
Employees are the first line of defence, so you want to make sure that users have strong passwords and that they're updating them frequently, and that they're automatically enforced through group policies.
Finally for this step you have your critical component of testing employees through various situations, such as phishing and training exercises or completing cyber security training. All of this works together to really enhance the security of your plan and make sure that you're backing up whatever is written.
Step 6 – Cybersecurity Risk Assessment
Once you have the security controls and policies written and in place, a good next step is to consider doing a cyber security risk assessment of your firm. The goal here is to understand the cyber security risks to the operation, the functions, the reputation, and the organisational assets of your firm. It's a balance between what risks are acceptable to you and your business and which ones you'd like to take actions against, whether that means mitigating these, creating contingency plans, or just accepting that risk and leaving it as it is.
However, this is also where you look at the company's culture, the cost, and any other potential problems that you may encounter if you choose to implement a strategy. For example, what is the impact on the organisation from employing multifactor authentication where users would have to log in and enter a code from their phone? It could be negative, it could be positive. What's the long-term benefit to your business?
Either way, based on the resources that you want to spend, you need to make good business decisions for your firm. Conducting a risk assessment typically involves performing an internal or external vulnerability assessment, which could lead to the exposure of potential threats, or looking at some of the external resources or third parties and where the threat lies there, and then determining your enterprise risk and likelihood and coming up with an action plan. You want to identify and prioritise the risk responses, so you know which ones you are responding to first. Most companies conduct routine vulnerability assessments and have software and tools that can scan the network to determine what services are running or what might look out of place.
A key message here as well is that if you're not conducting risk assessments today, you certainly can start small and evolve. There's a lot of guidance out there that recommends completing robust cyber security assessments. Whilst this is recommended by us as a best practice, the key message is if you don't have something in place today, starting small and letting the process mature as you evolve is a key message and key takeaway here for cyber risk assessments.
Step 7 – Third Party Vendors
We really see a potential for increased risk and exposure as firms leverage more outside firms or more third-party relationships to provide their solutions to their customers and to support their business so it's really important to look at your third-party vendors to see what the expectations that you need to set with your third parties are, so you can manage the relationship effectively.
We suggest having a process and a checklist in place for all your vendors so that you can send these to them annually and make sure that they're establishing the guidelines that your business establishes as acceptable, particularly around the IT policies of that third party. Here you really want to understand what their written and acceptable use policies are and any workaround solutions that they have in place in case your data is compromised.
One of the common things to look out for involves if they have access to your firm's confidential information. How are they storing it, how long are they keeping it for, and what employees at their firm would be accessing that information? Are they SOC II compliant? For example, Eze Castle's cloud services are SOC II compliant, and audited annually to ensure compliance. You're going to want an official audit report from your third party. How often do they have a third-party security and penetration test done to their network, or how well do they train their employees in their policies and their procedures? It's all part of the vendor life cycle. You should be reviewing the critical vendors at least annually to discover any changes to their solutions, and consequently if it's worth staying with that vendor, or moving to another.
Step 8 – Creating an Incident Response Plan
It's not if, but it's when a breach is going to happen. Having a proper incident response plan in place is crucial for that. When an incident does occur and disrupts the day-to-day running of your business, you will have outlined the actions that those responsible should take. We do see instances of response plans being a little light, but you do need to have a plan and assume that's going to happen at some point. Your plan needs to be realistic and specific to your firm, and your vendors may have a stake in understanding which other vendors may have a stake in your response as well.
When creating this plan, one key message here is it should be a collaborative effort with external and internal parties, including people from operations, personnel, HR; any specific employees that would know how to properly respond to events should be included. It's not appropriate to pin this on one person or one vendor. All departments outside counsel should be reviewing this to see if there are any areas that might have been missed. It's conducting due diligence on your own policies by including the individuals from various disciplines within and external to the organisation. Having these conversations ahead of time is important because it's going to set the expectations, the roles and responsibilities so that you can execute these correctly when that incident does occur. It's not something you want to leave until the last minute; you want to get ahead of it and do it upfront. Two table-top exercises include running through the actual breach scenarios, and the procedures that you have in place to support the response.
This is a living document that you'll need to constantly evaluate. Making sure it's accurate and realistic for your firm on an ongoing basis is critical.
Step 9 – Testing and Training Your Employees
Matt Donahue: It's one thing to have these different plans, but you need to get people to take those and make those specialised tweaks based upon experiences. You need to walk people through them, make them understand it, and you need to train people on the policies and procedures. If you don't have people understanding what their responsibilities are and what they're supposed to be doing then it's hardly fair for you to have any expectations of them following it. Annualised training on the policies and procedures for all employees in the firm should be a minimum. Review any specific role responsibility; if you're an employee with responsibilities in a team that's going to be handling an incident, your training should obviously be general as your other employees would receive, but it should also be specific to your roles. The expectations are that they get you a little more acclimated to what those special types of responsibilities are, and a little bit more experience so you can better handle it if an incident does come up.
You should potentially simulate different types of incidences, and you can do those two different table-top exercises; they're no fault, light cost if you have the time to do them. Walking through these and getting people familiar with the process enables you to understand and learn from situations like "that was the stuff we wrote down, but that actually wouldn't work here because so and so wouldn't be doing this, or he'd be focused on that or she'd be communicating to these parties." That's how you can really make sure that everything's going to be accurate the way it should be.
Another thing to look at is different types of simulations. Phishing is a major threat, and something that continues to be an issue year on year. Sometimes it's hard to prevent employees from clicking on them because it does come from a domain that's close, and it does look like it's going to be something that's going to be clicked on. So, it's not an imperfect thing if there's a human element to it, but training and educating them and testing them enables you to get the metric to see if things are going well. Testing your policies and your plans, auditing them, it's always useful as well to show that you're going through additional steps to make sure that things are the way that you have it spelled out, and they're following better practices.
When you're looking at different types of information security plans or plans in general, if you haven't done these things or you're not competent in them based upon what we talked about today, it's probably a good time to develop them or to re-evaluate them. And it should be a cyclical approach where every year you review the different items that you're going to be doing. There's the policy side, there's the technology side, there's the incident response areas. All of these things should be reviewed and updated as needed, but at a minimum annually. So if you haven't done it, start doing it, otherwise you're putting yourself at risk from a fine or something worse.
Matt Donahue and Steve Banda were talking to Olivia Munro, Senior Marketing Specialist, Eze Castle Integration. Replay the webinar here.
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher.