Executives and board members are slowly but surely starting to realize that information security efforts need to become a priority. Current efforts to protect information are now subject to more scrutiny by their customers, insurance companies and the government. Ransomware and cyberattacks have elevated global awareness of what makes for a solid information security “program.”
But in fact, a “program” is exactly what makes information security efforts ineffective. A program is too often understood as a siloed effort within an organization that falls under the responsibilities of a team or department. Organizations are starting to understand that information security must be part of their culture.
I compare information security’s evolution to how the physical security at schools has evolved over the past decade. They don’t have a student protection “program.” Protecting the students is priority #1. It’s not an inconvenient set of policies and procedures that can be skirted when the workload gets too heavy. It’s part of every workday and part of a good school’s culture.
As a matter of fact, any security framework, including a good information security framework, considers human protection as the first objective. In healthcare, the protection of patient information IS a matter of protecting human life. If health information is altered, misplaced, or destroyed and can lead to misdiagnoses and mistreatment. So now that we understand that the information we create, store and transmit is important enough to protect, how do we do it “right.”
The first thing to understand is that technology doesn’t protect information, people protect information…. And not just your IT people, everyone.
You should have a solid framework to help you manage your information security. NIST (National Institute of Science and Technology) offers a great metrics model to get you started.
- Strong upper management support is critical to the implementation and the success of the information security program.
A strong commitment to information security within the highest levels of the management of an organization helps to protect the security program from organizational pressures and budget limitations.
- Information security policies and procedures that are enforced and backed by management are essential for an effective information security measurement program.
Information security policies delineate the information security management structure, assign information security responsibilities, and lay the foundation needed to reliably measure progress and compliance. These policies and procedures help to assure that data is available and can be used for measurement processes.
- Quantifiable performance measures are necessary in order to capture and provide meaningful performance data.
Quantifiable information security measures must be based on information security performance goals and objectives, and must be easily obtainable, feasible to measure, and repeatable. The information provided should demonstrate performance trends and facilitate decisions for future resource investments.
- Periodic results-oriented analysis of the measures data must be a consistent part of the information security measurement program.
The analyses are used to apply lessons learned, improve the effectiveness of existing security controls, and plan for the implementation of future security controls to meet emerging information security requirements. All stakeholders and users must be committed to the accurate collection of data that is meaningful and useful in improving
the overall information security program.
We would be happy to discuss how your organization can get started. Please call or write anytime.
Mark Schlader, HCISPP
Director of Consulting Services
NorthStar Technology Group, Inc.
Fast, Available & Secure Technology
Office 866-337-9096 ext 7123