In this video, Kip Boyle discusses information security program design. Explore how to design an information security program to minimize duplication of effort for meeting compliance goals.
- [Instructor] Previously, we looked at five widely-used sources of information security controls. And I've made the case for letting cyber resilience play a major role in driving your control selection. Now you need to select and implement controls to make your program come to life. To be the most effective and efficient, you need a single set of controls that will meet all your program goals, be easy for your workforce to follow every time, all the time and allow you to actually manage risk while also demonstrating compliance.
But because of the increasing pressure at the executive level to be compliant with information security laws and regulations, the importance of being compliant sometimes overshadows the rest of your program goals which is unacceptable. So you need to figure out how to cost-effectively comply with multiple mandates. Don't tackle each mandate on a stand-alone basis. That's too much duplication of effort, which leads to extra expenses and is overwhelming for your staff. For example, there is a requirement to change vendor default settings in compliance mandates published by many different regulators including the Payment Card Industry Data Security Standard, the Federal Financial Institutions Examination Council, National Institute of Standards and Technology, and the Internal Revenue Service.
And while conceptually similar, the details can be different enough to make it difficult for practitioners and expensive for their organizations. This is such a problem that an entire web application was created to detect and resolve these conflicts. The Unified Compliance Framework, by Network Frontiers. I recommend you adopt a single internal program for your staff to follow, where your policies and other controls are influenced by and mapped back to all your mandates. Let's look at this idea visually. Your corporate information security policies are the ultimate authority for your internal program.
Compliance mandates, as well as your other program goals, are the most important inputs into your security policies. Once written and approved, your information security policies are operationalized by the standards, processes and procedures that you publish and train your staff to follow. Let's look at this last point more closely. By their nature, policies should be written at a high level and board of directors approved, so they don't need to be changed more than once per year. Standards contain the next level of detail below policies and they may be changed by management as needed.
Procedures are a policy and standards-driven series of steps taken by individuals at the desk level. To ensure procedures are followed correctly and consistently you'll want to go top-down through your management structure to get the direct support of all first-level supervisors. Finally, processes are procedures that cross two or more departments. To illustrate how this all works, let's consider how we control access to sensitive data such as customer records. Your policy would state, all access to electronic customer records must be authenticated to individual users.
Among other things, your authentication standard would state, Systems administrators accessing customer records must do so using two or more factors of authentication. And consistent with the policy and standards, the systems administrators would follow a procedure that describes on a step-by-step basis, how to authenticate. A very simple procedure would tell the administrator to insert their employee ID badge into the card reader and then enter their password when prompted. In order to make sure only authorized people became a systems administrator, at a large company, you would implement a process that had four procedures performed by four different people on four different teams.
First, the user requests administrator access. Then Team A would process their request for a privileged account. Next a manager reviews the request and either approves or denies it. Finally a member of Team B creates the account and securely provides the requester with log on details. There are at least four benefits from following this policy and compliance architecture. First, you get better risk management. And you're not just managing the risk of failing the audit.
Real risks in your environment are being well-managed and the audits you go through should prove your controls are working. In addition, this approach is more cost-effective. It reduces the temptation to make every separate compliance mandate a standalone activity. You don't have to reinvent the wheel for every audit, year after year and staff have a single program to follow. You also get a competitive advantage. Smart regulatory compliance strengthens customer relationships as we previously learned.
In fact, you may end up understanding the regulatory issues better than your auditors. Finally, new compliance mandates become much easier and quicker to satisfy. This information security program design allows you to quickly take credit for everything you're already put in place. You just need to implement any truly new controls. Let's wrap up this video with some final advice. You may see conflicting compliance mandates. One may be more restrictive than another. If possible, manage to the most restrictive mandate.
Let the real risk at hand guide you to a good decision. Also, your requirements will eventually become stale. After all, your business changes every day which can result in new customers, new systems, and staff turnover. As a result, your documentation may fall behind. To manage this risk, I suggest you review your entire program design annually and make updates.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance