What is Information Security and Why is it Important
Decades ago, businesses kept customer records in locked file cabinets in buildings secured by key badges and cameras. Now, much of that data is stored on lightning-fast, internet-connected servers capable of transmitting thousands of records per second to a successful hacker.
Companies must find cost-effective methods to safeguard data, protect customer privacy, preserve brand reputation, and avoid liability.
In this article, we’ll share insights that you can start to apply to your business today.
- What is it?
- Why is it Important?
- Security and Privacy—What’s the Difference?
- Implement Information Security (A Stepwise Plan):
- Designate a Responsible Party.
- Create a Risk Assessment.
- Pick a Security Framework.
- Document Security Policies.
- Prioritize Next Steps.
1 – What is Information Security?
Information security is the practice of protecting spoken, written, printed, and electronic information from unauthorized disclosure, modification, loss, or destruction (whether accidental or intentional). Internal, customer and third-party vendor information are all to be considered within the scope of information security.
2 – Why Is Information Security Important?
It helps to:
- Protect from the increasing potential for civil or legal liability due to information inaccuracy, improper disclosure, or the absence of due care.
- Safeguard your company’s assets and those belonging to your customers, members, third parties, employees, and other entities.
- Support your company’s compliance with regulations, standards, and laws.
- Prepare for assessments – Your information security plan, policies, and procedures will serve as evidence to support applications for cyber insurance, responses to security assessments by prospects and customers, and independent audits when needed.
- Increase predictability and reduce uncertainty in business operations by lowering information security-related risks to definable and acceptable levels.
- Reduce losses from security-related events and assurance that security incidents and breaches are not catastrophic.
- Reduce risk to your company’s assets.
- Support the integrity of information and data.
- Reduce the influence of erroneous information on critical business decisions.
- Improve your brand’s reputation in the market (which can increase your company’s value).
3 – Security vs. Privacy (What’s The Difference?)
Data security is the practice of securing sensitive data and is primarily focused on preventing unauthorized access to data (via breaches or leaks), regardless of who the unauthorized party may be.
Data privacy, however, is concerned with ensuring the data an organization processes, stores, or transmits is ingested compliantly and with consent from the owner of that sensitive data.
Best practices for privacy include informing individuals of:
- Which types of data do you intend to collect
- What purpose the data will serve
- With whom you will share the data
You can have security without privacy, but you can’t have privacy without security. Both need to be protected.
In addition to security measures designed to protect data, standard privacy provisions include efforts to prevent the re-identification of sensitive data—such as de-identifying personal data within systems, retaining only certain data elements, or storing data in different places.
4 – Implement Information Security (A Stepwise Plan)
- Choose an Owner – Designate a senior manager with IT experience as the owner of information security. This person needs to be able to determine and assess risks and create strategies to reduce those risks. They’ll be working across the whole company and will need the credibility to do that!
- Create a Risk Assessment – Document the risks to your business and decide what you will do about them in the short or long term. Evaluate each item as:
- Not a risk – It’s a valid finding, but it does not increase or decrease the overall risk to the business.
- Avoid – The risk exists now, but we’re going to do something different to reduce, resolve, or eliminate it. The risk is now lower than it was.
- Mitigate – The risk is valid. However, it has been reduced (or eliminated) because of actions we (or a vendor) are doing (or will do). The “going to do” maybe a contractual requirement.
- Accept – the risk exists, and we’re going to live with it. There is a change to our risk level.
- Transfer – the risk is valid, but we will transfer the cost to a partner or an insurance company. Our risk score is reduced as a result.
- Pick your Security Framework(s) based on the needs of the business. Examples include:
- Payment Card Industry Data Security Standard (PCI DSS) – If your company processes credit cards, you must be PCI compliant. While the PCI DSS focuses on protecting credit card information, it includes many of the same controls as the other frameworks listed below. https://www.pcisecuritystandards.org.
- Service Organization Control 2 (SOC 2) – SOC 2 compliance is a component of the American Institute of CPAs’ (AICPA) Service Organization Control reporting platform. Its goal is to ensure security, availability, processing integrity, confidentiality, and customer data privacy across systems.
- National Institute of Standards and Technology (NIST 800-53) – Defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security.
- NIST 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is a subset of NIST 800-53.
- The Cybersecurity Maturity Model Certification (CMMC) was created by the Department of Defense and applies to anyone in the defense contract supply chain. NIST 800-171 framework maps onto CMMC.
- The Center for Internet Security (CIS) provides members with security controls and other resources. https://www.cisecurity.org.
- Shared Assessments – Members can access tools and other resources to help with third-party vendor security assessments https://sharedassessments.org
- Document your security policies to reduce the identified risks. New threats emerge regularly, so create a plan to review and update policies annually. Start with these considerations:
- Acceptable use – What is acceptable for staff to do with company information processing systems?
- Access Control – Who can access what and how can they do it?
- Asset Management – How are the company’s assets to be managed?
- Change Management – When something must change, what steps should be followed?
- Disposal and Destruction Policy – How is information, or an information asset, destroyed when no longer needed?
- Human Resources Policies and Procedures – How do we hire and manage our people to reduce risk?
- Information Classification Policy – How is our information classified? Typical classifications are Public, Internal Use, Confidential and Proprietary, and Restricted.
- Logging and Monitoring – How are we monitoring our information system? How will we record and preserve the results of that monitoring?
- Management of Technical Vulnerabilities – The risk assessment will identify potential vulnerabilities. How are we managing them?
- Mobile Devices and Teleworking – What are the rules for using mobile devices and working from home?
- Personally Owned Equipment – What are the rules for an employee accessing company information from a personal device?
- Protection From Malware – How are we protecting systems from viruses, ransomware, and other attacks?
- Security and Privacy Awareness – People are, perhaps, the most significant risk to your business. How will you make your staff aware of risks caused by their actions or inactions?
The are other policies that may be relevant to your organization. For example, if your company develops software, you will need a Software Development Lifecycle Policy.
- Prioritize Your Next Steps
- Create or purchase a security awareness training program for all staff. Deliver it when someone joins and annually after that.
- Purchase privacy awareness training to ensure compliance with laws such as the California Consumer Protection Act (CCPA).
- Create a business continuity/disaster recovery plan and test it annually.
- Create an incident response plan and test it annually. Consider basing your plan on NIST SP 800-61 – it’s a well-thought-out approach to incident response. Include steps for responding to a privacy breach as well as to information security breaches.
- Implement security controls and create a plan to test them regularly. Record the results of those tests. Include:
- Anti-virus and anti-malware
- Patch management for personal computers and servers
- Intrusion detection systems
- Vulnerability and penetration tests for servers
Creating an effective Information Security program is a significant project. At CABEM, we recommend starting with a manageable approach and improving your information security each year.