What you need to know to manage a *minimal *information security program in a corporate context.

Source: https://www.cam.ac.uk/news/cambridge-to-host-transatlantic-cyber-security-competition

Before getting started, it’s important to note that there is no single structure or model for information security governance and management. Several models have their advantages and disadvantages. Let’s go back to the basics to better build the structure.

The aim of an information security program is to understand and manage the risks associated with the company.

So before starting any safety program, it’s important to ask yourself a number of questions:

  • What is our general knowledge of the main information security threats?
  • Do we know the threats associated with our business sector?
  • Do we have any particular risks associated with our business model?
  • Are there any issues associated with our organization? Such as staff turnover, unqualified teams, use of subcontractors, etc.
  • Are there laws, norms and standards associated with our sector that we should know about and master in order to comply with them?

Finally, we need to recognize the elephant in the room, i.e. the resources available to the company, both in terms of money to pay for software licenses, subscriptions and hardware, and in terms of human resources? What is the level of knowledge of our information security resources?

Management’s role

Security has to start at the top, and it’s up to management to set the pace for information security. Company management must understand the two levers at its disposal. These two levers (means) are useful for managing or adjusting its security program.

The 1st lever is to define information security objectives or needs. We understand that an objective must be “S.M.A.R.T.S.M.A.R.T – Specific, Measurable, Achievable, Relevant, and Time-bound“So it’s important to understand that information security is defined in 3 broad categories:

  • Protected privacy
  • maintain theintegrity
  • assured ***availability ***of these information systems.

Management therefore needs to answer the question: “What does it mean to become secure?” The CISO’s role is to advise and support management in finding this answer. Since answering “we want everything to be secure is not a good answer.”

Here are a few examples of objectives:

  • Becoming compliant with a standard(PCI-DSS, ISO27001, QC-Law 25, Cyber Security Canada)
  • Ensure all systems are updated within 30 days
  • Ensure that any vulnerabilities discovered are corrected within 15 days
  • Provide 99.9% reliable cloud service
  • Promote, encourage and structure continuous improvement in information security.
  • Implement an employee awareness and education program.

The 2nd lever represents the resources it makes available to the operational team to achieve the previously defined objective.

The budget is important at this stage, defining the costs (Salary, technologies, licenses, etc.) According to various studies by the analyst firm Gartner(Link here and links here) including one from December 2016 tells us that the companies they studied spend an average of 5.6% of their overall IT budget on cybersecurity, with a margin of around 1% to 13%.

This gives us an idea of what a standard information security budget looks like. Unfortunately, there is no such thing as a uniform budget, even within the same business sector.

Sample budget items

  • Training and awareness: $20/user/year
  • Intrusion test – $10k to $20k
  • Vulnerability management: $5,000 per year
  • Password vault: $100/year/user
  • Backup tools: $20/100G/month
  • SIEM: $10,000
  • Mobile equipment manager (MDM: $10 to $40/year/equipment)
  • Antivirus: Between $20 and $100/year/equipment
  • Virtual CISO: $60k to $200k per year.
  • Risk insurance: depending on your customers and structure, but possibly $10k to $15k

So choose your budget based on the quality, cost and timeframes estimated by your objective.

Choose which one to prioritize!

It’s the role of the operations team to propose and implement a plan with these two constraints in mind (objectives and resources). The team must also provide regular reports on the achievement of objectives or the need for different resources.

Management can then choose to change the objective or the resource allocation. So, by changing these two “levers”, management can adjust its safety program and achieve an acceptable balance.

The team you need?

The quick and easy answer to the question: “What is the minimum team we should have in place in our organization to manage the security of our information systems”?

At the very least, this involves appointing a person responsible for information systems. He or she becomes the CISO (Information Systems Security Manager).

This person must have the authority, skills and flexibility to make risk management decisions on behalf of the entire organization, in collaboration with the owners of the various assets. It must also be understood that this person is the central point of entry and exit for enterprise risk management decisions.

In an ideal world, the CISO should not be the company’s IT director. In the sense that he or she should have the flexibility and independence to provide thought leadership and a true account of the state of systems security to management.

The use of an external firm is useful in order to have this independence and to obtain a neutral and objective assessment of the situation.

Are there any minimum procedures?

The enemy of safety is complexity. Documentation and procedures must be simple, easy, reliable and used by as many of the organization’s employees as possible to ensure their accuracy and smooth operation.

The aim of the security program is to find out what type of information the company possesses, where it is located and what type of threat it faces, so that the appropriate protective measures can be implemented.

This is why the task of discovering and identifying the type of data used and processed by the company must be documented and validated, so that consistency between documentation and operations is the basis of a security program.

So the minimum procedures that a company must have operationalized are:

  • Incident management: To know what to do in the event of an information security incident.
  • Method of updating all the organization’s IT equipment as quickly as possible.
  • Data backup procedure: Including steps such as creating data backups on external hard disks or servers, encrypting backups and testing backups for accuracy.
  • BCP/DRP: A business continuity plan (BCP) is a plan that describes how a company will continue to operate in the event of a disaster. The plan identifies critical business functions and how they will be maintained in the event of a disaster. It also includes the steps involved in recovering data and restoring systems.
  • Directive on access control to information systems and a procedure for regularly reviewing them.
  • Training and/or awareness program for employees so that they are familiar with possible attacks, but above all with the tools used by the organization. For example, if the team doesn’t understand how the password vault works, then it won’t be used and won’t help the organization’s security!
  • Regularly schedule an assessment of the technical security of information systems, with at least one security scan for vulnerabilities or a formal penetration test.

What tools do I need?

When it comes to technologies and tools, different schools of thought exist, suggesting more or less aggressive approaches in terms of the minimum quantity or type of tools that companies should have in place. It’s important to remember, however, that the choice of tools must remain in line with the organization’s risks, information security objectives and available resources.

That said, in the current context, I think these tools are a must.

  • A tool for rapid updating of all systems, including workstations, servers and network equipment such as switches, access points, etc. Don’t forget the objects connected to the organization’s network;
  • A password vault for the whole team;
  • The next logical step is to implementstrong authentication, at least for systems exposed to the Internet, if not for all systems and all users.
  • An endpoint protection tool with a centralized console for monitoring system protection status.
  • A logging tool after activating activity logging on systems and centralizing these activity logs in another location to enable analysis and rapid alerting of teams (SIEM).
  • A **backup **tool to encrypt data and validate its quality.
  • A ticketing tool to keep track of the organization’s activities (registry), such as exceptions to standard configurations, more or less serious incidents that have occurred, temporary permissions granted to certain people and, of course, to keep a record that control procedures have indeed taken place?

In conclusion

My goal here with you is to start the discussion for small businesses that don’t have information security expertise. The field can quickly become cumbersome and complex for an SME president to manage.

That’s why keeping the focus on security is a constant challenge for information security experts. The CISO and the business leader need to work as a team, with a common goal and a plan that is well understood by both.

I invite you to click on “Follow” to continue learning more about the field of information security.