Menu Close

How to Build an Internal Security Program

Six processes are foundational to begin building a successful information security program.

Sherry Cummins

Principal Security Consultant,
ePlus Security

Information security is a business risk.

This makes security a business function, not the sole responsibility of IT. Which is why building a security program is one of the most important things to do for your organization’s overall health and success. But information security has many layers.

What does it take to build an effective program?

Six processes are required in order to begin building a strong security program:

  1. Identity and Access Management
  2. Patch and Version Management
  3. Vulnerability Management
  4. Data Governance
  5. Risk Management
  6. Security Awareness Training

Some of these heavily involve the IT team, while others require the participation of groups such as HR/training, executive leadership, and audit/compliance, which makes the need for good communication and strong interdepartmental relationships critical.

Identity and Access Management

Compromised identities (when a bad actor steals login credentials) are a leading cause of breaches. When bad actors pose as real employees, they can access any system, network, or data file to which the employee has been granted privileges.

Identity and access management is a combination of processes, policies, and technology that governs user access and authorization. In other words, it dictates who can access systems and data in your organization, and what they can do (and what they can’t do) when they get there.

A strong IAM framework uses single sign-on, multifactor authentication (or, at least, two-factor authentication), and role-based access management. The framework also includes technology to store user identities and profiles securely, so that a bad actor cannot easily steal a host of identities by accessing an unsecured database of profiles.

Patch and Version Management

Carelessness often leads to breaches. Many times, bad actors gain access to systems by exploiting a well-known vulnerability that simply has not been patched or is found in old, unsupported versions of operating systems and software.

Cyberattacks are automated and persistent. Threat actors use bots to probe networks continuously, looking for back-level systems with outdated patches that are still connected to corporate networks. Once discovered, these vulnerable systems are actively exploited by malicious actors to gain entry into an environment.

Patch and version management is the process of keeping systems up to date with the latest bug fixes and features. It involves identifying, acquiring, testing, and installing updates to software and firmware that corrects code problems and closes known security vulnerabilities.

Vulnerability Management

Security is not a static discipline—it’s continuously changing as new threats and vulnerabilities are discovered. The CVSS (Common Vulnerability Scoring System) is used to track software vulnerabilities and to communicate their severity. As previously mentioned, many breaches are the result of exploitation of known vulnerabilities.

Vulnerability management is an ongoing process. It combines people, processes, and technology to identify, assess, manage, and remediate vulnerabilities all across an organization’s technology landscape, including endpoints, systems, workloads, and databases.

Vulnerability management is closely linked to other processes, such as patch and version management, and often involves scanning tools and penetration testing exercises that help detect vulnerabilities that may otherwise go unnoticed.

Data Governance

Bad actors launch cyberattacks for a lot of reasons. Some may seek to disable equipment or to shut down critical infrastructure—whatever action they feel may cripple a business or country and keep it from operating.

But many are after data.

Organizations pay millions every year for encryption keys to unlock data as a result of ransomware attacks or to stop a bad actor from releasing to the public sensitive data that has been exfiltrated.

Data governance is a process for identifying where sensitive data resides and for protecting and managing an organization’s data.

It is a framework based on an organization’s standards and policies related to data handling, retention, and disposal which ensures data is available, usable, and secure in line with relevant industry standards. The process is foundational for compliance and ensures organizations properly manage data throughout its lifecycle.

Risk Management

At its core, information security is about managing risk. An organization’s risk tolerance—the amount of risk an organization is willing to accept—helps to define many of the policies, procedures, and technology that make up a security program.

Risk management is a business function. It involves identifying and assessing risks to the survival and economic health of an organization, and then taking action to lower those risks.

As a business function, this process involves senior leaders from across the organization—business units, finance, IT, operations, and others—and covers a broad scope of risks that include IT security and much more. It is important to understand that final responsibility for risk decisions lies in the hands of the organization’s executive leadership, and effective processes for risk identification, documentation, communication, and resolution must be built and carried out consistently.

Security Awareness Training

Phishing is still one of the most effective tools bad actors use to steal credentials and access corporate systems. Phishing attacks can be very sophisticated and convincing, and despite all the articles that have been written, people still fall victim to this attack method. But security awareness training is not limited to helping employees spot email scams.

Security awareness training is required by PCI and other compliance frameworks, as well as being an important part of any information security program. At a minimum, training programs educate employees on the importance of protecting company assets (after all, security is everyone’s responsibility), explain corporate policies and procedures for working safely—whether in an office or at a remote site—and show them how to identify a security threat.

Training sessions are most successful when tailored for a user’s job function and held at least four times a year (once a quarter). If possible, regular communication from the security department regarding new or emerging threats the users may see or hear about in the media are useful to maintain their awareness and keep security top of mind outside of the regular training sessions.

Getting Started: Tips for Success

An information security program requires people, process, and technology. 

Most organizations today have some information security processes and technology in place. They could be formal and complex or very informal and rudimentary. For every organization, the question is the same: How well is your data and infrastructure protected from threats?

A security program does not need to be complicated or expensive to be effective—

It simply must protect an organization’s assets from being lost, stolen, or damaged in accordance with compliance requirements and the organization’s risk tolerance. However, organizations should not be complacent about their security because they think of themselves as being too small or too uninteresting to have anything an attacker might want. Malicious actors have a variety of reasons to attack, and no one is immune.

Start with a survey of assets. 

What data, IT, and hard assets need to be protected? What is currently in place to guard those assets (physical protections, technology, processes), and how well do they work? Getting a handle on the basics—as described above—can be a good starting point.

Relationships and Communication are important when building a security program. 

Many people are involved: executives, managers, auditors, compliance experts, IT technicians, and others. Listening to input from these groups will help create a stronger program. After all, everyone in an organization is affected by security and should be a part of understanding and helping to maintain the organization’s security posture.

Ownership is another essential aspect of a successful security program. 

Someone in the organization will own security—perhaps it is a CISO or a CIO—and with ownership comes responsibility for building the program, refining it over time, and ensuring compliance with industry and organizational standards and policies.

We secure everything, so you can do anything. Compromise Nothing.

Talent shortages, heightened risk, and a rapidly evolving global landscape are creating unprecedented challenges for any company whose tomorrows are built on technology. Our security customers rely on us to advise, diagnose, predict, map, secure and protect every facet of their security environment – across datacenter, cloud, edge, networking, and collaboration.

Talk with an ePlus Security expert today!