Questions related to your existing information security program
Am I spending enough / appropriately on information security-related tools and controls? (Is there a tool I should buy?)
Similar to the staffing question, the answer here is nuanced. It depends. In our experience with helping organizations get their arms around their threats and risks and developing a reasonable and appropriately-scaled information security program, they have most (if not all) the licenses and tools they need to address their risks. The difficulty is in their configuration and the ability of the information technology organization to get meaningful information from them. Often the roadblock to an effective program is one of time and availability of IT staff. It is not uncommon for IT staffing to be less than what is required given the size and complexity of the organization. In addition, automating tasks that cause IT staff to be diverted from projects due to an endless break/fix cycle can improve the chances of information security-related projects being successful.
Do I need cybersecurity insurance? Is our cybersecurity insurance policy appropriate to our risks?
The answer to both of these questions is easy: Yes. Your organization should have cyber insurance (for a variety of reasons). According to CyberInsureOne, 27% of US Firms have no plans to purchase cybersecurity insurance, only 8% of manufacturing companies have it, and only 50% of healthcare-related organizations are cyber-insured. This is despite the fact that the two greatest threats detailed above target these two verticals – wire fraud at manufacturing and ransomware in healthcare.
Currently, because the insurance companies want to sell the insurance to these threatened companies, the cost of cybersecurity insurance is very low. Making sure that you have the RIGHT insurance with an appropriate level of coverage is a challenge. As a result, we work with several insurance brokers to identify the best practices for good cybersecurity insurance coverage. Like many of the questions presented here, determining the correct level of coverage depends upon awareness of the threats and risks facing an organization. Ultimately, there are three things an organization can do with a risk – they can address it directly by making a change or implementing a tool, they can insure themselves to address the risk (in the insurance industry they refer to this as “transferring” the risk), or they can just decide to “assume” the risk and hope it doesn’t happen.
Are our information security and business priorities aligned?
The holy grail of information security is strong alignment with the business. Everyone has access to the tools and data they need to do their work (but no more), the data and services are available when needed, and the data and analysis of that data is trustworthy and accurate. Striking the balance between protection and convenience (and monetary cost, frankly) is the difficult part.
Is our written information security program (WISP) based upon an appropriate information security framework?
There is a wide variety of information security and information technology frameworks that provide guidance to appropriate controls to protect the confidentiality, integrity, and availability of data and services (some you might have heard of include NIST SP800-53, NIST Cyber Security Framework, ISO 27001, HITRUST, Cobit, ITIL, CIS Controls, and AICPA Trust Services Criteria). Choosing the correct one depends on your compliance obligations, geography, business vertical, and organizational complexity. It is possible to map one framework to another – and some of them have been designed for just that purpose. HITRUST and the CIS controls are built with this in mind. HITRUST certification is an expensive, but effective way to demonstrate compliance – and anyone can download the actual controls for free. The CIS controls is a framework created by industry experts, maps well to other frameworks and is intended to be free for anyone to download and implement.
Do our documented policies match what is actually happening in practice?
Often an organization’s written policies and standards are very well written and line up with their compliance obligations. An auditor comes in, reviews the documents, and gives the documents a passing grade… Unfortunately, the things written in these documents do not line up with what is actually happening in the organization. Our approach is to have lean, well-organized documentation that addresses the threats and risks facing an organization in clear and concise language. The end result is that instead of having compliance without real information security, an organization is secure by design and compliant by default.
Do we know where our data is and how it is protected (data lifecycle management)?
Ultimately, an information security program is concerned with the confidentiality, integrity, and availability of the data and services that utilize, store, transmit, and process that data. Knowing the nature of that data, how sensitive it is in terms of compliance obligations, where it lives, where it is transmitted, where it is used, who has access to it, and how long it should be kept is vital. For many organizations that data is core to their business. Just like an auto repair shop must keep track of and care for their tools, an organization must keep track of and care for their data and services. Very often this starts with classifying the data and establishing rules for the various classifications.
Are our employees being appropriately trained on cybersecurity?
Information security awareness training is vital for organizations. The two primary threats detailed earlier primarily rely on mistakes by employees to be successful. Wire transfer fraud tricks employees into sharing or relying upon restricted or incorrect account information. Ransomware most often is distributed by email-based attacks and require employees to open infected attachments or click on malicious links. Even well-configured systems with robust monitoring mechanisms can let these emails and attacks slip by. The final and most important line of defense against these attack vectors is the person sitting at their desk making a determination if what they are looking at is a real communication and not an attempted attack. All organizations should be providing mandatory and engaging cybersecurity awareness training at the time of hire and at least every year to refresh the employees and keep security at the top of their minds.
Can we detect an attempted or successful cybersecurity incident/breach?
A mature information security program not only puts mechanisms and controls in place to prevent an incident or a breach but also includes mechanisms to monitor the operation of their networks, systems, services, and users to notice when something bad or unintended is happening. The use of automated mechanisms to aid the perpetually overworked and understaffed IT team is essential, and appropriately tuned alerting is one of the primary goals of the information security program because any Internet-connected environment is under constant attack. Detecting only those attacks with a chance of being successful is essential.
Do we know how to respond in an emergency?
Having a documented plan (that is updated as personnel and the environment changes) for how to respond to an incident or its big brother, a disaster, is only the first step. Educating the people who must respond when an emergency occurs (and their backups in the event they are unavailable) is the next task. Finally, and perhaps most important, is testing that plan regularly (and learning from and addressing the results of those tests). Again – having something lean and useful is more important that reams of paper sitting on a shelf.