SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
Need Help? Email [email protected]
  • LOGIN

E-SPIN Group

CONTACT US / GET A QUOTE
  • No products in cart.
  • HOME
  • PROFILE
    • Corporate Profile
    • About us
    • Customer Overview
    • Case Studies
    • Investor Relations
    • Procurement
  • GLOBAL THEMES
    • Artificial Intelligence (AI)
    • Big Data
    • Blockchain
    • Cloud Computing
    • Cognitive Computing
    • Cyber Security
    • DevSecOps
    • Digital Transformation (DT)
    • Modern Workplace
    • Internet of Things (IoT)
    • Quantum Computing
    • More theme and feature topics
  • SOLUTIONS
    • Application Lifecycle Management (ALM), DevSecOps/VSM, Application Security
      • Application Security
      • DevSecOps
      • Digital Forensics
      • Secure Development
    • Cybersecurity, Governance Risk Compliance (GRC) and Resiliency
      • Governance, Risk Management and Compliance (GRC)
      • Malware Analysis and Reverse Engineering
      • Security Information & Event Management (SIEM)
      • Security Configuration Management (SCM)
      • Threat, Risk and Vulnerability Management
      • Penetration Testing and Ethical Hacking
    • Modern Infrastructure, NetOps
      • Network Performance Monitoring and Diagnostics (NPMD)
      • IT Operations Management (ITOM)
      • Network Operation (NetOps)
      • Network Management System (NMS)
    • Modern Workspace & Future of Work
      • Digital Workspace
      • End User Computing (EUC)
      • Securing Hybrid Workforce
      • Unified Endpoint Management (UEM)
      • User Activity Monitoring (UAM)
  • INDUSTRIES
    • Aerospace & Defense
    • Automotive
    • Banking & Financial Markets
    • Chemical & Petroleum
    • Commercial and Professional Services
    • Construction & Real Estate
    • Consumer Products
    • Education
    • Electronics
    • Energy & Utilities
    • Food & Beverage
    • Information Technology
    • Insurance
    • Healthcare
    • Goverment
    • Telecommunications
    • Transportation
    • Travel
    • Manufacturing
    • Media & Entertainment
    • Mining & Natural Resources
    • Life Sciences
    • Retail
  • PRODUCTS
    • Hidden Menu
      • Brand Overview
      • Services Overview
      • E-SPIN Product Line Card
      • E-SPIN Ecosystem World Solution Portfolio Overview
      • GitLab (DevOps, DevSecOps, VSM)
      • Hex-Rays (IDA Pro, Hex-Rays Decompiler)
      • Immunity (Canvas, Silica, Innuendo)
      • Parasoft (automated software testing, AppSec)
      • Tenable (Enterprise Vulnerability Management)
      • Veracode (Application Security Testing)
    • Cybersecurity, App Lifecycle, AppSec Management
      • Cerbero Labs (Cerbero Suite)
      • Core Security (Core Impact, Cobalt Strike)
      • HCL (AppScan, BigFix)
      • Invicti (Acunetix, Netsparker)
      • ImmuniWeb
      • UBsecure (Vex)
      • Portswigger (Burp Suite Pro, Burp Suite Enterprise)
      • Titania (Nipper Studio)
      • TSFactory (User Activity Monitoring)
    • Infrastructure, Network, Wireless, Cloud Management
      • Metageek (Wi-Spy, Chanalyzer, Eye P.A.)
      • Progress (WhatsUp Gold, WS_FTP, MOVEit MFT)
      • Paessler
      • Solarwinds (IT Management)
      • TamoSoft (wireless site survey)
      • Visiwave (wireless site survey, traffic analysis)
      • VMware (Virtualization, cloud mgt, Digital Workspace)
    • Platform products
      • Adobe (Digital Media Creation)
      • Micro Focus
      • Microsoft
      • Red Hat (Enterprise Linux, OpenStack, OpenShift, Ansible,JBoss)
      • SecHard
      • SUSE (Enterprise Linux, Rancher)
      • Show All The Brands and Products (Full)
  • e-STORE
    • e-STORE
    • eSTORE Guide
    • SUPPORT
  • CAREERS
    • Culture, Values and CSR
    • How We Hire
    • Job Openings
  • BLOG / NEWS
    • Blogs and News
    • Resources Library
    • Calendar of Events
  • CONTACT
  • Home
  • Solution
  • Security Program Secure Your Data
0
E-SPIN
Thursday, 08 October 2015 / Published in Solution

Security Program Secure Your Data

Security Program Secure Your Data

No matter how large or small your company is, you need to have a plan for security program secure your data. Such a plan is called a security program by information security professionals. Whether yours is five or 200 pages long, the process of creating a security program will make you think holistically about your organization’s security. A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.

  • Product information, including designs, plans, patent applications, source code, and drawings
  • Financial information, including market assessments and your company’s own financial records
  • Customer information, including confidential information you hold on behalf of customers or clients
  • Failure to protect your data’s confidentiality might result in customer credit card numbers being stolen, with legal consequences and a loss of goodwill. Lose your clients’ confidential information and you may have fewer of them in the future.
  • A data integrity failure might result in a Trojan horse being planted in your software, allowing an intruder to pass your corporate secrets on to your competitors. If an integrity failure affects your accounting records, you may no longer really know your company’s true financial status.

Having a security program means that you’ve taken steps to mitigate the risk of losing data in any one of a variety of ways, and have defined a life cycle for managing the security of information and technology within your organization.

Elements of a good security program

A good security program provides the big picture for how you will keep your company’s data secure. It takes a holistic approach that describes how every part of your company is involved in the program. A security program is not an incident handling guide that details what happens if a security breach is detected (see The Barking Seal Issue Q1 2006). It’s also not a guide to doing periodic assessments, though it probably does dictate when to do a security assessment (see The Barking Seal Issue Q2 2008).

Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The key components of a good security program are outlined in the following sections.

  1. Designated security officer

For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement. Your security officer is the one responsible for coordinating and executing your security program. The officer is your internal check and balance. This person or role should report to someone outside of the IT organization to maintain independence.

  1. Risk assessment

This component identifies and assesses the risks that your security program intends to manage. This is perhaps the most important section because it makes you think about the risks your organization faces so that you can then decide on appropriate, cost-effective ways to manage them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to prioritize them and choose cost-effective countermeasures. The risks that are covered in your assessment might include one or more of the following:

  • Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to loss of electric power. You may also lose access to your data for more subtle reasons: the second disk failure, for example, while your RAID array recovers from the first.
  • Unauthorized access to your own data and client or customer data. Remember, if you have confidential information from clients or customers, you’re often contractually obliged to protect that data as if it were your own.
  • Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.
  • Your data in someone else’s hands. Do you share your data with third parties, including contractors, partners, or your sales channel? What protects your data while it is in their hands?
  • Data corruption. Intentional corruption might modify data so that it favors an external party: think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error that overwrites valid data.
  1. Policies and Procedures

Preparing your risk assessment hopefully gave you lots to worry about. The policies and procedures component is the place where you get to decide what to do about them. Areas that your program should cover include the following:

  • Physical security documents how you will protect all three C-I-A aspects of your data from unauthorized physical access.
  • Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation and aging requirements, and audit trail maintenance.
  • Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that your IT employees are engaged in implementing your IT-specific policies.
  • Risk assessment states how often you will reassess the potential threats to your IT security and update your security program.
  • Incident response defines how you will respond to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised). We discussed the importance of having an incident-handling guide in the Q1 2006 issue of The Barking Seal.
  • Virus protection outlines how you protect against viruses. This might include maintaining workstation-based products and scanning email, Web content, and file transfers for malicious content.
  • Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time you have defined.
  • Relationships with vendors and partners defines who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect your data. This is an often-overlooked aspect of data security because your IT organization probably has not had a lot of interaction with your legal organization over vendor contracts. You may need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place.
  1. Organizational security awareness

The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs. Don’t overlook it in yours.

Every employee needs to be aware of his or her roles and responsibilities when it comes to security. Even those who don’t even touch a computer in their daily work need to be involved because they could still be targeted by social-engineering attacks designed to compromise your physical security. In its Information Security Handbook, publication 80-100, the National Institute of Standards and Technology (NIST) describes the importance of making all levels of your organization aware and educated on their roles and responsibilities when it comes to security (Figure 2). All users need to have security awareness training, while those involved with IT systems need to have more role-specific training. Your IT organization, which implements a continuous cycle of assessing, acquiring, and operating security-related hardware and software, needs even a higher level of involvement, taking direction from your own security specialists and those you hire as consultants.

  1. Regulatory standards compliance

In addition to complying with your own security program, your company may also need to comply with one or more standards defined by external parties. This component of your security plan defines what those standards are and how you will comply. Regulatory standards that might affect you include HIPAA (for patient information), PCI (for credit card processing), FISMA (for governmental agencies and contractors, see The Barking Seal Q4 2006), Sarbanes-Oxley, and Gramm-Leach- Bliley (for corporate financial management).

  1. Audit compliance plan

This component of your security program dictates how often you will audit your IT security and assess its compliance with your security program. As we discussed in the Q2 2008 issue of The Barking Seal, there are aspects of your security that you will want to audit on a frequency ranging from daily to annually. Periodic security assessments are important for finding out whether your security has already been breached. They help you to stay on top of new security threats with the right technology and staff training. And they help you make smart investments by helping you to prioritize and focus on the high-impact items on your list.

A security program is never “done.” As Figure 2 illustrates, your IT organization is always in the process of iterating through the program’s life cycle for all areas that it defines. You assess risks, make plans for mitigating them, implement solutions, monitor to be sure they are working as expected, and use that information as feedback for your next assessment phase. Likewise, your security program document has this life cycle built into it, as it specifies how often you will re-assess the risks you face and update the program accordingly.

Getting on the right footing

It doesn’t matter whether your security program is five pages (as are some we’ve produced for clients) or 200 pages long (such as the NIST document cited above). The important thing is that you have a security program and that you use it to address your company’s security in an organized, comprehensive, and holistic way. You can adapt the above elements to create a security program for your organization, or, if you need help, give us a email at [email protected] or you can visit to our website  at www.e-spincorp.com

Everyone needs to have a security program because it helps you maintain your focus on IT security. It helps you identify and stay in compliance with the regulations that affect how you manage your data. It keeps you on the right footing with your clients and your customers so that you meet both your legal and contractual obligations. Its life cycle process ensures that security is continuously adapting to your organization and the ever-changing IT environment we live in. And, of course, it’s the right thing to do because protecting your data’s security is the same as protecting your most important asset.

Tagged under: Data Loss Prevention (DLP), Data Security, Governance Risk Management and Compliance (GRC)

What you can read next

E-SPIN Unified Vulnerability Management (UVM) Explained
McAfee Risk Advisor
Security Information and Event Management (SIEM) – Trend, Challenges and Solutions
Security Information and Event Management (SIEM) – Trend, Challenges and Solutions
Applying Security in your SDLC
Applying Security in your SDLC

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Impact of Cryptocurrency to Financial Industry

    Lessons from the JPEX Crypto Fraud: Navigating the Path to Secure Cryptocurrency Markets

    The JPEX crypto “fraud” incident th...
  • E-SPIN Webinar Red Hat Satellite Product Overview

    E-SPIN Webinar Red Hat Satellite Product Overvi...
  • Retina CS Technical Overview by E-SPIN, Main aspects of the General Data Protection Regulation

    Navigating the Future of Disaster Recovery: The Role of DRaaS in Business Continuity

    In the business landscape, disruptions can come...
  • Online Privacy and Data Protection in Digital Trust

    Online Privacy and Data Protection in Digital T...
  • Data Mesh Principles and Concepts: Revolution Data Management

    In the rapidly evolving world of data managemen...

Recent Comments

  • espincc on First mover advantage vs second mover advantage
  • Luke on First mover advantage vs second mover advantage
  • Henry Lee on Burp Suite Price Rise Notice
  • JEAN ARIANE H. EVANGELISTA on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022
  • Ira Camille Arellano on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022

Archives

  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • February 2012
  • July 2011
  • June 2011

Categories

  • Acunetix
  • Adobe
  • Aerospace and Defence
  • AppSec Labs
  • Automotive
  • Banking and Financial Markets
  • Brand
  • Case Studies
  • Cerbero Labs
  • Chemical and petroleum
  • Codified Security
  • Commercial and Professional Services
  • Construction and Real Estate
  • Consumer products
  • Contact Us
  • Core Impact
  • Core Security
  • DBeaver
  • DefenseCode
  • DSquare Security
  • DSquare Security
  • E-Lock
  • Education
  • Electronics
  • Energy and utilities
  • Excelledia
  • FAQ
  • Food and Beverage (F&B)
  • GFI
  • GitLab
  • Global Themes and Feature Topics
  • Government
  • HCL
  • Healthcare
  • Hex-Rays
  • IBM
  • Immunity
  • ImmuniWeb
  • Industries
  • Information Technology
  • Insurance
  • Invicti
  • Ipswitch
  • Isorobot
  • JetBrains
  • Job
  • Life Science
  • LiveAction
  • Magnet forensics
  • Manufacturing
  • McAfee
  • Media and Entertainment
  • Metageek
  • Micro Focus
  • Microsoft
  • Mining and Natural Resources
  • Nessus
  • Netsparker
  • News
  • Nutanix
  • Paessler
  • Parasoft
  • PortSwigger
  • Pradeo
  • Product
  • Progress
  • Rapid7
  • RedHat
  • Retail
  • Retina
  • Riverbed
  • RSA
  • SecHard
  • Security Innovation
  • Security Roots
  • Services
  • SILICA
  • Soft Activity
  • SolarWinds
  • Solution
  • SUSE
  • Symantec
  • TamoSoft
  • Telecommunications
  • Tenable
  • Titania
  • Transportation
  • Travel
  • Trend Micro
  • Trustwave
  • TSFactory
  • UBsecure
  • Uncategorized
  • Vandyke
  • Veracode
  • Videos
  • VisiWave
  • VMware
  • Webinar Archive

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

CORPORATE

  • Profile
  • About us
  • Investor Relations
  • Procurement

SOLUTIONS & PRODUCTS

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

STORE & SUPPORT

  • Shop
  • Cart
  • Checkout
  • My Account
  • Support

PRODUCTS & SERVICES

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

FOLLOW US

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • YouTube
  • WordPress Blog
© 2005 - 2023 E-SPIN Group of Companies | All rights reserved.
E-SPIN refers to the global organisation, and may refer to one or more of the member firms of E-SPIN Group of Companies, each of which is a separate legal entity.
  • Contact
  • Privacy
  • Terms of use
TOP