The 3 Necessary Elements for Effective Information Security Management

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://midsizeinsider.com/en-us/article/3-necessary-elements-effective-information-securit#.VJCiHivF-So

Seeing all these really bad information security incidents and privacy
breaches, often daily, are so disappointing.  Let’s consider these four in
particular.

1.    The Sony hack that seems to continue to get worse as more details are
reported.

2.    An ER nurse using the credit cards of patients.

3.    Breaches of Midwest Women’s Healthcare patient records due to poor
disposal practices at the Research Hospital.

4.    TD Bank’s outsourced vendor losing two backup tapes containing data
about 260,000 of their customers.

And the list could continue for pages.

These incidents, and most others, probably could have been prevented if an
effective information security and privacy management program existed that
was built around three primary core elements:

Risk management
Documented information security and privacy policies and procedures
Education including regular training and ongoing awareness activities and
communications

Risk Management

In each of these cases a risk assessment, that is part of a wider risk
management program, would have identified significant risks in each of
these four examples. Here is just one example of a risk that could have
been mitigated for each corresponding example from above that should have
been identified prior to the breach:

1.    Sony would have identified that they had vulnerabilities where remote
access occurred into their networks and could have established stronger
controls in addition to implementing intrusion detection and prevention
systems.

2.    The ER could have implemented digital monitoring for staff in
addition to spot audits and background checks to help identify when a staff
member was stealing from a patient.

3.    A risk assessment of Research Hospital facility practices would have
identified poor disposal of print records.

4.    If TD Bank had established a vendor security and privacy program
oversight management program it could have caught any lax practices in the
vendor.

Policies and Procedures

In each of these cases having documented policies and procedures, would
have established a reference for all workers to see what was expected with
regard to effectively and consistently protecting information during the
course of normal work activities throughout the enterprise, and would have
established the requirements and responsibilities that workers need to
know. Here is just one example of a risk that could have been mitigated for
each corresponding example from above that should have been identified
prior to the breach:

1.    Sony could have established document policies and supporting
procedures to NOT allow clear text user IDs and passwords to be stored in
digital files. (Why the heck were they doing this horrible high-risk
action!?)

2.    The ER could have implemented policies to secure all patient
valuables within in-room lockers that staff could not access.

3.    Research Hospital could have had policies and procedures for finely
shredding all documents to be disposed that contained confidential
information.

4.    TD Bank could have had a policy requiring all backup tapes to be
encrypted prior to release to the storage vendor.



Education

1.    Sony should have provided information security and privacy training
to all personnel, and sent regular and frequent reminded to all personnel
reminding them to protect all types of mission critical and valuable
intellectual property to keep it from being inappropriately released.

2.    The ER should have provided information security and privacy training
to all personnel, and sent regular and frequent reminded to all personnel
reminding them to protect patient information, to be aware of what others
are doing with patient possessions, and how to report suspicious activities.

3.    Research Hospital should have provided secure disposal training to
all personnel who dispose of information in any form, and sent regular and
frequent reminders to all personnel reminding them to completely destroy
any type of media with sensitive information prior to throwing it away.

4.    TD Bank should have ensured their vendors and other outsourced
entities provided information security and privacy training to all their
personnel, and that they sent regular and frequent reminding them how to
secure the information that has been entrusted to them by their clients.



Bottom line for organizations of all sizes…

In addition to many really huge organizations, I’ve worked with hundreds of
small to midsize businesses over the years. I’ve seen a large portion of
the small to midsize organizations completely omitting not just one, but
two and in many situations all three of these core elements.

Every type of organization, of all sizes, needs to build their information
security and privacy program around the three core elements of:

1) Risk management;

2) Policies and procedures; and

3) Education.

If they don’t, they are going to leave themselves vulnerable to potential
significant and possibly business-killing information security incidents
and privacy breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!