I have been a member on many merger and acquisition teams where my primary responsibility was to audit a company’s security practices and give my assessment of the security risk identified in the proposed transaction. It never ceased to amaze me how many companies were not following the security practices outlined in their own policies. Even worse, there were more companies than expected that had no real security policy at all. For years, it was commonplace for some companies to purchase security policies based on a framework, or search the internet for security policies that looked good, and then pass them off as their official corporate security standard. The problem with this smoke and mirrors approach is that, eventually, someone is going to look close enough, realize your security program isn’t what you say it is, and your credibility is lost.
I don’t want to suggest that purchasing a security policy based on a framework is bad, but simply adopting any random policy or framework without certain considerations, which we’ll explore below, may result in pitfalls or challenges for your company.
Understanding the Context of your Company
Context is the purpose and strategic direction of your company. Your company should determine any external and internal factors relevant to your purpose, as well as any circumstances your company may have that could affect the adoption of a security framework. For example, if your customer base generally comes from highly regulated industries, you may choose a framework different from one used for a company in a specialized niche market.
Make sure you understand the needs and expectations of relevant parties (e.g. business, compliance, legal, regulatory), as well as client/contractual obligations. Additionally, be sure to note the scope of your information security management system (Note: Too broad and it will be very difficult to manage, but too narrow and it won’t do you any good).
Ensure Leadership Commitment
You have probably heard that everyone is responsible for information security, but a company’s leadership is accountable for that information security. Decisions about your information security program shouldn’t be made in a vacuum and need to be made in alignment with business strategy and goals. Leadership should consider the risk to the company, and then champion their support and commitment for the information security program.
It is also a good idea to set up a cross-functional committee of senior management that can track adoption and governance of your company’s security across all areas and business units. This committee should report, identify, and track concerns, gaps, and risks, as well as regularly report this security posture to company leadership.
So Many Frameworks, So Little Time
Once you have an understanding of your company’s context, it will be easier to choose a framework that best fits your company. There are dozens of information / cybersecurity frameworks to choose from, and in many cases, you will be adopting parts from many of these frameworks in order meet your overall organizational information security needs. Frameworks often overlap among themselves, so it is common to map a control from one framework to another to help show compliance with different standards. Listed below are some examples of common frameworks:
• ISO 27000 Series
While ISO-27001 has greater acceptance outside the United States, it considered a solid standard of information security frameworks. One pitfall for ISO is the implementation and certification process can be long and difficult.
A good structure for publicly traded companies that will help align compliance with Sarbanes-Oxley (SOX).
• NIST SP 800-53
NIST is a publication of control standards required by US federal agencies to comply with the Federal Information Processing Standards' (FIPS) requirements. However, NIST controls can be adopted by any industry.
• HITRUST CSF
HITRUST CSF integrates with healthcare security requirements for healthcare providers and technology vendors. HITRUST CSF combines hundreds of requirements taken from several compliance regulations.
• PCI DSS (Payment Card Industry Data Security Standard)
PCI is an information security standard for companies that handle credit and debit card information. PCI is administered by the Payment Card Industry Security Standards Council, which establishes the control objectives, revisions, and requirements needed for compliance.
Putting Your Framework into Action
As you adopt controls and standards from various frameworks, it is important for the outcome to be achievable, adaptable, and attainable.
• Achievable – It will not do your company any favors to list every control possible and try to comply with the controls that are not achievable. Keep it realistic, and enforce the controls you can today, but continue to work to mature your security controls, policy, and processes over time as compliance allows.
• Adaptable – Established security controls and a well-written policy should be adaptable so as the company ebbs and flows, your controls and policy should only require minor changes or updates. If you have a good core policy that is properly maintained and reviewed regularly, it will be easier to adapt as your company encounters change.
• Attainable – Even with leadership support, governance of security controls and policy is not easily attained. Companies need to invest in their information security program in order to make it successful. Here are a few ways you can keep your security efforts attainable:
--Assessment – Regularly assess your program by performing security walkthroughs, looking for compliance violations, and conducting vulnerability assessments to look for weaknesses that could be exposed if not addressed. You should audit your full program no less than annually to make sure you are following your established controls, policy, and standards.
--Training – Make sure the staff responsible for maintaining your information security programs have regular training or have obtained and maintain personal security certifications.
--Security Awareness – The best policy ever isn’t going to be as effective if the company does not have awareness around why controls are being enforced the way they are. In addition to requiring new hire and annual security awareness training, consider articles, posters, and friendly competitions and games to help make awareness fun. Once a person understands the why, they are more likely to want to comply.
Trust But Verify
An old Russian proverb, “Trust but verify,” was frequently used by Ronald Reagan during his tenure as the 40th President of the United States. You can expect clients and prospects to apply this proverb to you as they consider which print/mail service provider to entrust with their data.
Here are a few questions clients are likely to ask:
• What type of data elements will you need to produce the work? If those data elements contain sensitive PII or PHI, are you independently certified to securely produce that work?
• Do you have the capacity to produce the needed volumes? If not, will you need to outsource work in order to make deadlines?
• Are you solvent, or having financial problems? Clients will want to validate some core company integrity checks to minimize the risk of processing disruptions:
--Dunn & Bradstreet Risk Management Report
--Credit history checks
--Industry references check
--Company balance sheets
• Clients will want to thoroughly audit your information security program:
--Have you had a past breach?
--Do you have dedicated information security staff?
--Do you carry cybersecurity insurance, and how much?
--Do you have an independent audit report you can share to show you are certified?
--Is your business resiliency capable of supporting their business if you suffer an outage?
--How much money do you dedicate to information security each year?
--Are you doing what your policy says?
Having been involved on both sides of an audit, I can usually spot a good audit right away. Is this just a compliance checklist audit, or is the auditor going to deeply examine us? Information security programs should evolve and grow, and an audit is one way you can make a security practice get better.
When I am conducting an audit as part of an acquisition or a supplier review, there are few questions I like to ask:
• What is your biggest security concern, and do you have adequate budget and expertise to properly to address that risk today?
• Do all employees have a clear picture of your company’s overall security policy, and how can they help make it better?
• What does leadership not know about your information security program, but you wish they did?
Ask yourself: The next time a client or prospect is reviewing your security practice, will you be able to demonstrate that you take information security to heart, or is your approach just smoke and mirrors?
John Murray is director of infrastructure and security at IWCO Direct, where he is responsible for developing data security policies and procedures that adhere to the company’s security standards. You can reach him at firstname.lastname@example.org.
This article originally appeared in the July/August, 2021 issue of Mailing Systems Technology.