Governance, Risk, and Compliance: Information Security control "must haves" for your business
In our last security information blog article about minimizing information security risks, we discussed ways of putting your organization in the best place to increase productivity by not wasting time and resources on threats. Now we are going to continue our discussion by discussing controls.
The first category of controls in any information security program should be the Governance, Risk, and Compliance (GRC) controls. These are the controls that ensure the information security program has the authority to do what it needs to and is doing the right things for information security in an organization.
Merriam-webster defines governance as
the act or process of governing or overseeing the control and direction of something (such as a country or an organization)
In modern companies, nonprofits, and similar organizations, we accomplish governance first through a set of written policies. A large organization may need dozens of in-depth information security policies. Smaller organizations are often better served through tailored rightsized policies addressing their most important information security needs such as data usage policies, retention policies, privacy policies, and social media policies. Scalesology can help you get your information security policies in order whether you need a quick simple set of policies, or an in depth set such as in highly regulated industries.
Plans and Procedures
From your policies come procedures. Many smaller organizations perform procedures in an ad hoc manner, passed along by word of mouth. As you mature you need to codify your plans and procedures and Scalesology can help with that, be it your information security instant response plan, your business continuity plan, or more regular procedures such as employee onboarding, asset management, and change management procedures.
Some policies and procedures have standards associated with them, such that we don't have to change the policies and procedures even as the information technology landscape changes quickly. For example, your password policy may refer to a password strength standard, which codifies how long passwords are required to be. Another example is minimum software version standards, which may need to be updated every time a new release of Chrome comes out. Scalesology can help you create and maintain these standards at an propriate level for your organization.
Besides ensuring that changes are performed in an informed, and controlled manner – something that is essential for the proper maintenance and hence security of a system – the information security program should be involved in all information technology changes to ensure that the change does not introduce a vulnerability or affect the information security program's ability to protect the organization. For example, a project may propose adding a new network segment, information security will want to ensure that network segment provides the appropriate prevention, detection, reaction, and validation controls for these systems being deployed there. Scalesology can help you set up a change management program and evaluate the security impact of changes within your organization.
As noted in our article What is Information Security, risk management is core to an organization's information security program. Besides the risk assessment and security strategy, both of which Scalesology can perform for you, risk management includes asset lifecycle management, threat intelligence, and supply chain risk management.
Asset Lifecycle Management
Asset lifecycle management is the tracking of information assets from there acquisition through assignment, and finally decommissioning within an organization. Information assets include not only the hardware such as servers and laptops, but instances of operating systems such as virtual machines running locally or in the cloud, as well as applications – again both local and in the cloud – and most broadly, data. Organizations tend to spend a lot of time tracking things like $2000 laptops, but it is far more important to know where the data that can make or break your business resides. Scalesology will work with you to perform a high-level assessment of this when we do a risk assessment, and we can work with you to implement a more detailed asset tracking program to ensure that you know where the valuable assets in your organization reside.
Threat intelligence is concerned with what and how threat actors are targeting the organization. This can often be broken down into two areas: first, technical threat intelligence information such as IP addresses, domains, and files hashes that are known to be used by threat actors and can be monitored for with the detective controls. Second, the qualitative threat intelligence information such as reports that certain threat actors maybe focusing on your organization or industry sector. By looking at these reports, and understanding the modus operandi of these threat actors, and organization can adjust its defensive posture appropriately; for instance, if we see reports very specific resourceful attacker is targeting our industry with a sophisticated attack against TLS version 1.1, we may force all of our servers to only accept TLS version 1.2 and above, even though that might restrict access from customers running outdated systems.
Supply Chain Risk Management
Supply chain risk management, also known as vendor risk management or third-party risk management, is the process of evaluating the organizations that provide products and services to our organization, and ensuring that their information security posture is appropriate given the product or services that they are providing to us. This came to the forefront with the Target attack in 2013 where Target’s HVAC vendor was breached and that allowed the attacker to then leverage that vendor’s connection to Target’s networks and subsequently breach Target. More recent examples of this are the SolarWinds attack in late 2020 and the Kaseya attack in 2021. For every vendor in your supply chain you should be looking at what risk they pose to your organization if they get breached – for example your IT vendors present a much higher risk than your cleaning supply vendors, and vendors with personnel on site probably present the highest risk – then you need to work with that vendor to find out risks they have and what they are doing to manage those risks. Larger vendors like Microsoft and Google will use industry certifications such as ISO 27,001 or SOC2 reports to demonstrate a high level of risk management appropriate for the vast majority of their customers. For vendors that do not have such certifications you will need to engage them to ask the right questions and gauge their responses to ensure that their information security posture is appropriate. This is something that Scalesology can help you with.
Just as you need to ensure the appropriate risk management of your vendors, your customers will ask the same of you. Scalesology can help you respond to the supply chain risk management questionnaires that you receive from your customers. Alternatively, we can help you set up your information security program to obtain one of the industry certifications such as ISO 27,001 or SOC2 Type 2 so that in the future you can simply point your customers to that; be aware, however, that these certifications are very intensive and involve a lot of work on an organization's part. Scalesology can also help ensure that you are compliant with laws, regulations, and industry standards, such as HIPAA, FERPA, ERISA, GDPR, CCPA, New York Shield Act, FDIC regulations, SEC regulations, NERC CIP, and so forth. The good news is that most of these laws regulations and standards tend to only dictate the need for an organization to operate and information security program following industry standards such as we are describing here.
Training and Awareness
In consulting we often talk about people, procedures, and technology all being necessary for the success of a project or organization. Above we talked about procedures, and in future articles we will dive much further into technology, but people are one of your most important links in your information security protection. Most controls are designed around the principle that authorized users need to be able to read and write their data to do their jobs. Many attacks occur simply because attackers are able to trick users into either sharing the data the attacker is looking for, or giving them access to the system. While we implement technical controls to try to reduce these things from happening, the best control is a well informed user who understands what the risk is, what to watch out for, and how to react when suspicious activity occurs. This is best accomplished through security training and awareness. Scalesology can help you set up a training and awareness program to ensure that all of your employees understand their role in protecting your organization's information; we can also help design and conduct specialized training for groups of users who may present higher risk to the organization such as IT administrators, software developers, and core finance staff.
Business Continuity Planning
Last and certainly not least under the GRC umbrella is business continuity planning. This is such a large and overarching topic that in larger organizations it often merits its own department. In small to midsize organizations, it often falls under the CISO and is best aligned as a more specific form of risk management. In business continuity planning we don't try to enumerate all the possible things that can go wrong to an organization, for example in 2000 people would not have generally included a plane flying into a skyscraper as an anticipated disaster, nor in 2019 would many of us have included a pandemic on our list of disasters. Regardless of the type of business continuity event, we want to be prepared for it. We do this by looking at what the critical processes are to our organization, what resources they require, and what to do if any of those resources – be it people, facilities, systems, material, etc. – are not available.
Scalesology can help you create and manage your business continuity plan, and you can find more details in our Guide to Creating a Disaster Recovery Plan. Contact us today, and let’s ensure your organization can scale without the worry of threats to your business.