CIO Prospective: Top 8 Tips to Improve your Security Program

CIO Prospective: Top 8 Tips to Improve your Security Program

Tips to Improve your Security Program From a Seasoned CIO

Author: Mike Gentile with Cameron Cosgrove

Many times, at CISOSHARE we present our perspective from the viewpoint of security practitioners that have built hundreds of security programs around the world. While we think that this experience is crucial to effectively build a cyber security program, there are many other viewpoints that are just as important. The most important of these that comes to mind is the knowledge and experience of a veteran CIO.

Recently, I had the opportunity to get exactly that from one of the most seasoned Fortune 500 CIO’s I know, Cameron Cosgrove. He has deep expertise in enterprise computing space and we have worked on many projects together over the last 2 decades. His blogs contain interesting articles at – DIGITALCTO with Cameron Cosgrove

I asked him one simple question:

What would be the top things you would tell any CIO to build programs around when it comes to cyber security?

What I liked most about his response was that it was short, easy to understand, and to the point. So, for all you CIO’s out there looking for some footholds on where to start with cyber security, in Cameron’s words, here are the top areas to focus on that will give you the best return for investment:

1. Backups

If all else fails…you can get your data back. Remember the SONY attack? Their back-ups were a significant issue that was not uncovered until recovery efforts were underway. It took them years to rebuild and recover. So, here is the question CIO’s need to ask: how do we know the back-ups are in place and will work when you need them?

Perform a one-time audit of all PROD applications, files, directories, folders to ensure they are actually being backed-up. You may be shocked at the number of files never backed-up or fail on a regular basis. Have the team use the audit to get all files in a backup job. You may also find that the backup infrastructure is not sized big enough to handle all of the files—and that will spin off another project to address your backup strategy.

Have the team present a monthly report showing backup fails and completes. The team needs to test the recovery of random files every quarter—and show that on a report—that you look at.

Next step after PROD, consider a bi-weekly or weekly backup of key non-prod data such as all development libraries, files, and builds. Make sure IT Ops has

Make sure IT Ops has backup files accessible for a quick recovery for urgent business needs; but also make sure system back-ups are stored off-site. I recommend using tools and storage platforms that enable a real-time automated synchronization to an off-site location or cloud service. Finally, consider putting your back-up on a separate network to reduce traffic, impacts to network performance and protect back up files/images from being stolen or erased by an intruder. If you are faced with a large price tag for additional backup infrastructure consider the cost and disruption of recent ransomware exploits or just an issue with equipment failures, flood, etc. If IT has a current, viable back-up—you can get back up and running no matter what happens. This is one of the most basic functions within IT, but often over looked; because it is assumed it is working.

2. Account Validation

The #1 method bad actors gain a foothold in your network or on a server is to comprise a valid account and then start installing malware. If they can comprise an administrator account, then they can create new accounts including new admin accounts. With access to a network, bad actors can remotely load their exploits at will and then send instructs to active them at a time of their choosing. By using valid accounts they can work for months with minimal risk of being detected. The #1 way to prevent that is to detect and disable those accounts immediately. Doing this is simple, but takes an effort to establish.

Here is how:

Nightly, create and export a text file from your HR system of all people that should have access such as employees, consultants, contractors, etc. From your network directory, (e.g. Active Directory) export all accounts that do have access into a text file. Establish a batch job to compare those two files—looking for differences. There are directory sync products that will do this.

In most cases, you will detect new employees and terminated employees on the list….which is a good thing to know by itself. But if there is an account on your network directory that is not in your HR system—that is a potential bad actor that has gained access and has created their own an account. Track these accounts down to determine if they are authorized. When in doubt suspend those accounts while you investigate.

Typically, organizations that are compromised have learned that these bad accounts went undetected in their system for months and months.

Another daily report to run is to show all new administrative accounts created within the last 24 hours. Have a person review all new accounts created with elevated privileges and double check them for proper authorization; especially domain administrator. Producing and reviewing this report is the most important thing you can do after back-ups.

Lastly, run a monthly report for all accounts with elevated privileges and reconcile it to each person. While this sounds like an extra step, keep in mind, administrative privileges are used to install and run ransomware and kill programs in your environment.

Following these steps will dramatically reduce the #1 way your network can be comprised.

3. Server Patching

Most vulnerabilities sneak-in on servers and desktops because they are not running critical security patches.  There are many examples of ransomware exploits being successful even when patches to prevent them have been available for months. For the patches to work—they need to be installed; so most shops have a monthly patching program.

Does your shop have a way to check that all (I mean all) servers are included in the program and actually running the critical patches? All it just takes is one unpatched server to allow access to your entire network. Run a monthly report on all servers and their patch levels.  Applying missing critical patches is an easy fix to plug a big hole.

4. Enterprise class anti-spam filter and block links that don’t have a good reputation.

So many excellent solutions to block spam already in place. For best results, take it one step further for phishing messages that get through. Block any outbound connection that is not white listed or with no or bad reputation.

End-Users clicking on links is a high percentage method bad actors introduce malware into your environment. Shops use End-User security training that instructs people not click on links that are unknown. Unfortunately, some links are just too tempting—so block the outbound connection. If it blocks a valid business link, a quick call to the service desk can remedy that. It truly is a better case of better to be overly cautious than infected.

5. Desktop A/V

Most shops insist every network attached desktop, laptop is running an up-to-date AV. Does your AV and client support reporting status back to a central console in real time? A console can validate the client machine is up to date and will alert when a virus or attack is occurring—and can automatically disable network access and open a ticket.

A best practice is to block network access if a client machine is not running the AV with a current signature file. Protecting the network from infected or rogue machines by blocking network access, out weights the inconvenience of a single end user

6. Edge Security

Ensure All Entry Points into the network infrastructure are secured with Firewalls & IPS. There are many good products and strategies for this. Have your team present the current situation and talk about any missing pieces or outdated products. Ask the team what their process is for updating products including firmware. They should be able to produce a list of all installed product versions including firmware as compared to the vendor’s more current. Make sure products run on the most current firmware and there is a process for updating it. Lastly, don’t let products get too far behind on versions. New features and capabilities in current versions are designed to keep up with threats.

7. Event Coloration

Ensure logs of Infrastructure (Network, Server, SAN, etc.) are sent through an event correlation solution. This allows what looks like small events, to be correlated into an alert because in actuality, it is a larger event. This can be a cloud based service or you can develop an in-house capability. If starting from scratch, consider using a trusted vendor or consultant to support you on this. Doing this right has strategic benefits. Doing this wrong means being flooded with meaningless data and not be able to act.

8. 2 Factor Authentication

2 Factor Authentication for remote access to resources that would normally only be accessible if you were at a corporate location. For example; VPN & VDI. Most shops have this. Do you use it for Webmail? I would. Strongly consider

Strongly consider 2-factor authentication for (regular) local machine and network login for end-users that have access to move money such as set-up and execute fund and wire transfers. Or have the fund transfer application require a second authorization—so that a bad actor (internal and external) cannot gain access and transfer funds to themselves; (yes, that happens).

9. Social Engineering

Keep System Admins from being a target for social engineering and email phishing attacks. Ask every person in IT with elevated privileges to use generic job descriptions on all their social media accounts, especially LinkedIn, so they do not become targets of social engineered attacks. Because, yes, that happens.  For example, instead of titles like Server Administrator, System Administrator, Back-Up Administrator, Systems Engineer – use something non-specific like Office of Technology Associate, Enterprise Services Technician, etc.

10. Be very serious about least privilege.

End-user and Service accounts should not be running with administrator privileges.   The only accounts with administrator privileges should be trained professional system administrators (period). Protect the organization from end-users installing (unknowingly) malware on their machine by granting the standard user access.

With Windows 7 and 10, it is very straight forward to remove administrator level from the local user account. For some shops, this may require a desktop OS architect to look at your how applications run on the desktop without running as an administrator.

Service accounts running with administrative rights pose a danger as well. Most shops with a large installed base of homegrown applications use hundreds of service accounts. If your shop does not have a secure practice and naming convention for service account management—pull a team together to address this situation.

10 Signs You Should Invest in an Information Security Program

10 Signs You Should Invest in an Information Security Program

Why Should You Invest in an Information Security Program?

Imagine the following, your business is doing well and things are spinning along at a perfect pace. You read about another information security threat making the news, but you have remained untouched by any major mishaps. You may wonder “Why invest in a security program?”. “Is my organization really at risk?”

If you have found yourself asking the questions above or if and you’re uncertain if your organization needs an information security program, read this list of red flags to see whether it’s time to create an information security plan.

You Aren’t Sure If You’re at Risk

If you need to ask if your organization is at risk for a security breach, then it’s likely that you are. Understanding the level of risk your organization has accepted is a basic element of a comprehensive information security program.

Your Company Isn’t All on the Same Page

One of the reasons organizations invest in an information security program is to identify threats so that a mitigating strategy can be created. The identification of threats allows an organization’s IT department to meet with executive leadership to create a mitigating strategy. Without this concrete information, the IT branch may lose the backing of executive leadership. This denies the IT department the resources needed to protect the organization’s data. By convincing executive leadership to invest in an information security program, you can obtain the approval and resources to make your data more secure.

An Information Security is Viewed as Only an IT Issue

In some organizations, security is viewed as solely a technical concern, so it becomes only the responsibility of the IT department. In reality, an information security issues touch every process, person, and technology within any organization. As a result shouldn’t just be an IT department concern but the entire organization’s concern.

Your Information Security Program is Disconnected from the Budgeting Process

When a comprehensive information security program is implemented, your team needs to plan their security budget carefully. Appropriately funding your information security program can ensure there is enough funding to put the proper systems in place to identify and handle threats. Many organizations associate security as a cost center because of this information security programs are often underfunded. If your information security program is having issues with funding, one possibility may be that leadership doesn’t see the value in investing in a proper information security program.

Your Information Security Program is All Policy

Another sign that an organization needs to revamp its information security program is when the “program” consists of only policy. Policies are documented rules that an organization self-imposes. If an organization has established some information security policies but never actively enforces those policies then the policy is useless.

…Or There Is No Policy

Even worse than having a policy that’s ignored is having no policy at all. If your organization has no policies around information security and data protection, then investing in an information security program will assist you in developing those policies.

You Aren’t Leading by Example

A definite red flag that an information security program needs revamping is when enforcement of information security policies doesn’t apply to management. Employees notice when the people lecturing them on certain aspects of security aren’t practicing what they preach. This sends a contradicting message and makes the information security policies seem unimportant.

There Is No Clear Plan in Place for a Security Breach

When a security incident occurs, an organization with a well-run information security program will have a plan that automatically kicks into action. Time is of the essence when potential data loss is a possibility. If your organization does not have a plan ready for a security incident then you need an information security program.

You Don’t Prioritize Protection of Customer Data

Saying you protect your customers’ information is one thing while taking steps to protect it is something entirely different. If your customer data protection has no substance then you need an information security program to back up the talk with real action.

You Set Up Your Information Security Program and Simply Forgot About It

Perhaps you’ve already invested in an information security program…several years ago. If you’ve set up security policy and controls but have never gone back to revisit and reassess them, it’s time to make another commitment to your information security program. An information security program is a continuous process that needs to match an ever-changing threat landscape. In this ever-changing environment, you owe this kind of diligence to your company, your employees, and your clients.

If you’re unsure of how to build and maintain a comprehensive information security program for your organization, contact CISOSHARE. Our team has the experience and knowledge to help get you started.

General Data Protection Regulation (GDPR) | Overview, Benefits, Rules, and What it Means for Your Organization

General Data Protection Regulation (GDPR) | Overview, Benefits, Rules, and What it Means for Your Organization

What Is the General Data Protection Regulation (GDPR) and How Does It Affect My Organization?

If your organization deals with the processing of personal data, maintaining the security and privacy of that data should be an organization’s top priority. The regulation of data security and privacy are constantly changing, and organizations must be aware of these changes. These regulations and protections not only keep your organization’s data secure but are also required by law.

Formalized since April 2016, GDPR applies to all organizations conducting business within Europe or with European clients.

By May 25, 2018, organizations not in regulation or have a data breach while not in compliance will be fined up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year whatever one is higher.

GDPR Rules Explained:

Overview of the GDPR

Up until recently, most data protection laws within the European Union (EU) were based on the Data Protection Directive (EU Directive 95/46/EC) laid out in the mid-90’s. Although this directive covered the basics of data privacy, it had long-since become outdated due to emerging technologies.

The EU has worked over four years to develop an updated regulation to create stronger privacy protection rule for individuals. The new regulations would also eliminate some of the red tapes that created additional expenses for organizations.

Benefits for Individuals

One mandate for GDPR is the portability of personal data. This means that an individual has the right to securely move, copy or transfer their personal data stored by any organization.

Another mandate put forward by GDPR requires notification of a security breach to individuals who have had their personal data leaked. An individual is only notified if the security breach is likely to result in a high risk to the rights and freedoms of that individual.

Individuals also have the right to erasure under GDPR. This means that any individual has the right to have their personal data erased and prevented from being processed if certain conditions (such as an individual withdrawing their consent) are met.

In addition, GDPR enables the right to restrict processing and access. This gives an individual the ability to decide how their personal data can be processed and who can access their personal data.

New Rules for Organizations

When a data breach occurs, it’s important that an organization acts quickly. This is because GDPR requires that any security breach is reported to a relevant supervisory authority within 72 hours. To help prevent these breaches in the first place, GDPR requires that data protection is taken into consideration during the earliest stages of designing any personal data processing system. Another GDPR requirement is that organizations must appoint a Data Protection Officer to keep records of all data-processing activities.

Data Protection Impact Assessments (DPIA) are mandated by regulation to require organizations to identify and mitigate any high risks that may exist when processing an individual’s personal data. The regulation also lays out specific requirements for data encryption and the attestation process of compliance with the new rules.

GDPR does not only consist of new restrictions and processes for organizations, it also lifts some of the old regulations. Organizations no longer must notify local authorities whenever personal data is processed. This was a frustrating regulation for organizations that conducted business in multiple countries. Although the notification requirement was removed, organizations must still keep an inventory of personal data they process.

In addition to the lifting of local notification rules, GDPR will be introducing new data protection certifications by which an organization can demonstrate compliance to current and potential clients.

What Does GDPR Mean for Your Organization?

If your organization or your organization’s clients are located within the European Union, they must comply with the rules laid out in GDPR. Many organizations are unaware that this regulation directly impacts them.

If you have questions about GDPR or if you are uncertain if your organization is compliant to GDPR, CISOSHARE can help. Click here to contact our information security experts and ensure that your systems are up-to-date and ready to handle this new regulation.

Comply With GDPR, Contact Us!

About NIST 800-171 And The Additional Requirements Laid Out By The DFARS

About NIST 800-171 And The Additional Requirements Laid Out By The DFARS

The NIST 800-171 Deadline Is Approaching. Is Your Organization Prepared?

When an organization works with government agencies such as the Department of Defense (DoD), protecting sensitive information is key. A whole host of rules and regulations govern how third parties must handle such information, and failure to ensure compliance could result in loss of government contracts.

Starting in December 2015, the Defense Federal Acquisition Regulation Supplement (DFARS) laid out additional requirements that organizations must adhere to while working with the DoD. The compliance deadline for the clauses, NIST Special Publication (SP) 800-171, has been extended to December 31, 2017. Will your organization be prepared when this round of federal acquisition regulations goes into effect?

What Is NIST 800-171?

The title of the clause, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” gives an excellent summary of its purpose. The DoD requires that third party contractors provide certain assurances about the security of their IT systems if they would like to continue working with the Department and receiving sensitive information.

The “covered defense information” that concerns the DoD in this clause is their form of “Controlled Unclassified Information.” The DoD defines such information as being:

[…] unclassified controlled technical information or other information as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is

 1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Failure to meet the December 31 deadline can prevent an organization from securing future government contracts with the DoD.

How Can My Organization Ensure NIST 800-171 Compliance?

Even if your organization is already well on the way to being DFARS compliant, it’s essential to ensure that it meets all NIST 800-171 requirements by the deadline. It’s quite a taxing process to be certain that all of your organization’s processes align with the controls laid out in NIST 800-171.

The initial NIST 800-171 implementation is only the first step in NIST 800-171 compliance. Once all processes are in place, they must be continually monitored and tested to validate their configuration.

NIST 800-171 Compliance with CISOSHARE

At CISOSHARE, getting our clients’ information security systems up-to-date is our specialty. From the healthcare field to working with government agencies, we are well-versed on what is required to ensure that all systems and procedures adhere to strict laws and standards. We work tirelessly to meet all customer, regulatory, and competitive demands in our field.

This includes the regulations laid out in DFARS. If your organization is struggling to understand and implement the requirements listed in NIST 800-171, contact CISOSHARE. We’ll get you on the path to compliance well before this year’s deadline and ensure that your systems stay well within the letter of the law even after the deadline has passed.

Ransomware | What You Need to Know About Ransomware & Awareness Tips

Ransomware | What You Need to Know About Ransomware & Awareness Tips

What You Need to Know About Ransomware

Over the past few months, ransomware outbreaks of “WannaCry” and “Petya” have both achieved media headlines. Both outbreaks disrupted or halted business operations of organizations across the globe. Ransomware for past few years has been a growing threat, but now it has matured into a threat that cannot be ignored anymore. Most ransomware infections are preventable with a proper cyber security program.

What is Ransomware?

Ransomware is a term to describe malware that holds a user’s data hostage until a ransom is paid. There are many variations of this type of malware, and each variation is designed differently, but the end goal is always to extort money from a victim.

How Does Ransomware Spread and How to Recognize Ransomware

Ransomware infections commonly begin when a victim visits a malicious website or opens a suspicious file. These infection vectors are often delivered via a phishing email. Phishing emails are designed to entice a victim to do some action like clicking a link to a website or opening an email attachment.

If a victim clicks a link to a malicious internet site, the victim’s web browser is scanned for security vulnerabilities. A security vulnerability is a software flaw that opens a computer to the possibility of an attack. If the web browser is found vulnerable, the security vulnerability is exploited, and ransomware is deployed.

If the victim opens an email attachment, the malicious document may have a small program embedded in it that is utilized to download and execute ransomware. Once a computer is infected with ransomware, it typically encrypts all data and displays a ransom note informing the victim what has happened and how to pay the ransom.

Ransomware Prevention

To reduce the risk of ransomware infection, an organization needs to have a patch management program and periodic security awareness training for users. These two items can prevent most ransomware infections from occurring.

A patch management program involves a reoccurring process of updating all computer systems in an organization by applying software patches. A software patch can contain either, a new software feature or a fix for a software flaw also called a bug. Sometimes a software bug can be classified as a security vulnerability. A software patch can close known security vulnerabilities. Ransomware often uses security vulnerabilities to spread and infect computers.

Security awareness training communicates to an organization’s users about phishing emails. Since phishing emails are the most common delivery method for ransomware, a program that trains users to spot phishing emails can help prevent ransomware infections. Training should inform users about the dangers of opening email attachments and clicking web links from unsolicited emails. Testing of users should be done periodically to ensure that users apply what they learned in their security awareness training.

How an incident management plan help with Ransomware Recovery

Recovery from a ransomware infection is depended on having an already established incident management and disaster recovery plan. To be effective, both plans should be in place before a ransomware infection occurs.

An incident management plan involves detecting, investigating and remediating an incident. An incident is any event that negatively affects business operations. An incident, like a ransomware infection, needs to be detected and identified promptly so that a remediation plan can be put together. Most ransomware variants have a deadline for when a ransom can be paid. If a deadline passes, all data becomes completely unrecoverable.

A ransomware infection can be detected through user feedback. Often, users are the first to notice suspicious activity on their computers. If a user is presented with a ransom note, a process of reporting and escalating events needs to be created.  Once a ransomware infection has been detected, information about the event can be collected to assist in forming a remediation plan. A remediation plan is the enacting of a disaster recovery plan.

A disaster recovery plan is a set of steps to recover from an incident after it has impacted business operations. For a ransomware infection, a disaster recovery plan focuses on recovering data that was taken hostage and cleaning computer systems of ransomware.

Can You Recover Your Data Once You Pay the Ransomware?

There are no guaranteed ways to recover data after a ransomware infection. Paying the ransom does not guarantee recovery of data. Business critical data should be periodically backed up in advance of an incident. If infected by ransomware, a recovery process should include wiping the affected system of ransomware and restore data from a prior backup. Keeping up to date backups and periodically testing your recovery process is the only guaranteed way to recover data from a ransomware infection.

Conclusion

All businesses are depended on their technology infrastructure to collect, process, and store data. This data is critical for daily business operations. Denial or destruction of this data via ransomware significantly affect business operations. Investing in a cyber security plan can help reduce the risks associated with ransomware. By having a patch management program, you reduce the opportunities ransomware can infect your organization. Security awareness training can help reduce the chances of users falling for phishing emails that deliver ransomware.

If affected by ransomware, an incident management plan can assist in identifying the infection in a timely manner. A disaster recovery plan can ensure that data can be recovered. The threat posed by ransomware will continue to evolve, but a well-designed cyber security program can help reduce the risks posed by ransomware.

Building an effective Incident Management Program can be complex and time-consuming, CISOSHARE strives to help businesses implement comprehensive solutions to protect organization’s confidentialityintegrity, and availability of informationContact us today to get started or let us know if you have any questions.

Information Security Outsourcing | [White Paper Included]

Information Security Outsourcing | [White Paper Included]

How Can Information Security Outsourcing Benefit CISOs?

It doesn’t matter if an organization specializes in healthcare, retail sales, or widget manufacturing: every organization needs a comprehensive information security program in order to secure its information from theft, loss, breaches, and other threats.

Unfortunately, because of the limited number of available dedicated resources with the requisite skills to build a security program, coupled with the swelling demand for them, has created a situation where needed resources are often spread thin. This is why a growing number of CISOs and specialized information security firms look into outsourcing these critical information security services.

The Benefits of Information Security Outsourcing

One of the biggest benefits of outsourcing information security is that it provides an organization the ability to focus on their core business, rather than attempting to become part-time security experts or spend the money to employ them full-time.

Information systems have become increasingly complex, requiring an ever-expansive amount of specialized knowledge to know when something has gone awry and the system isn’t functioning securely. One of the advantages of outsourcing information security is the benefit of in-depth knowledge from experts who are experienced in their specific fields, from setting up firewalls to monitoring various events and calling attention to any issues that arise.

Outsourcing means that the organization doesn’t need to take on additional full-time employees, which can be an expensive endeavor. In addition to paying security employees’ salaries, an organization will also foot the bill for training, as well as all of the technology and equipment necessary to keep operations safe and up-to-date.

Work with Information Security Experts

Working with a third party to provide comprehensive security risk management programs ensures that an organization has access to specialists in a variety of information security fields:

Security Program Assessment and Roadmap Development: Experts in this field will draw on their expertise to assess an organization’s current security program and create a strategic plan to mitigate risks and protect data.

Security Policy and Process Development: Creating an effective security policy means knowing how to craft well-defined rules and a clear process that must be followed in order to keep an organization’s systems and data secure.

Risk Management Program Development: It’s key for an organization to constantly monitor and identify ongoing and potential risks in order to assess them, document them, and immediately take appropriate action.

Progress Dashboard and Board-Level Reporting: An important part of every information security program is being able to effectively communicate valuable information to the rest of the organization, including its leadership. That’s why a progress dashboard is important, as it provides a quick and easy-to-understand view of the current state of the organization’s security, as well as any potential threats.

It’s also key that this information be reported to the board in language that they can understand and in a way that will motivate them to take the steps necessary to ensure the highest levels of security.

Security Architecture Program Development: The experts in charge of this field will work to create an overall design of the organization’s security infrastructure that will connect the various components into one cohesive unit. It’s only through working as one that the various areas can avoid security pitfalls.

Quite often, these security experts will be available 24/7 to quickly take the appropriate action in the event of any sort of breach or emergency.

Building a comprehensive information security program from scratch can be complex and time-consuming, which is why so many CISOs are choosing to outsource information security. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

Download White Paper | Options & Budget for Building a Security Program

Information Security Architecture | Suite of Preventive & Detective Safeguards

Information Security Architecture | Suite of Preventive & Detective Safeguards

What is an Information Security Architecture?

An information security architecture program is associated with the management and effectivity of the suite of preventive and detective safeguards as a whole within an environment.

The goal of information security architecture program is to ensure that all of the security technologies implemented within the environment work together to meet organizational goals. This also often includes understanding the assets and associated data that live within an environment, and then measurement and management of the safeguards that protect those elements.

Common Information Security Architecture Elements:

Data Map – This diagram illustrates where all of the information and assets are located within an organization.

Information Security Architecture Diagram – Illustrates where preventive and detective safeguards are located within an environment.

Information Security Architecture Program Charter- Illustrates the mission and mandate, roles and responsibilities and objectives of the information security architecture program.

Process Documentation- Every process area associated with an information security architecture mgmt. should have defined roles and responsibilities, business rules and associated tools for each process.

Associated Role- The information security architecture program is often managed by the information security architect.

Associated Functions

Information security architecture management is generally comprised of the following functions:

Mgmt. Of Data & Asset Map – It is hard to have an effective security architecture if you do not understand what the architecture is protecting. This function understands, categorizes and documents where information and assets are located within the environment.

Documentation of Information Security Architecture – This is the visual presentation of the preventive and detective security safeguards within the environment.

Global Safeguards Responsibilities – It is common for the information security architecture to have either operational or oversight responsibilities over safeguards that are global in nature. Some examples would be associated with Identity Mgmt., Application Development, or logging and monitoring, though there can be others with varying levels of responsibility and accountability for the information security architecture program.

Measurement of Information Security Architecture Effectiveness- These are processes for managing the effectiveness and susceptibility of implemented safeguards within the environment.

Information Security Architecture Communication & Consulting- Since an effective information security architecture includes safeguards implemented across an entire business, this function is designed to support communication and interaction with all areas of the business.

Development & Mgmt. of Information Security Architecture Roadmap- As an organization changes, so will the requirements for an effective information security architecture to protect it.

Building a comprehensive information security program from scratch can be complex and time-consuming, which is why so many CISOs are choosing to outsource information security. That’s why CIOSHARE strives to help businesses build information security programs that work. Contact us today in order to get started.

 

Contact Us Today!

Survey | Do you Have a Security Program and How do you measure it?

Survey | Do you Have a Security Program and How do you measure it?

How do you measure your security program?

We’d love to get your feedback!

Take this 3 min survey.
The goal is to understand how organizations are measuring their security program today and how they want to measure it moving forward. The CISOSHARE team needs your support to find new ways to serve and educate our clients.

We will provide the results of the survey once it is closed.
Create your own user feedback survey

The Healthcare CISO’s Best Practice to HIPAA Compliance [HIPAA Best Practices Download Included]

The Healthcare CISO’s Best Practice to HIPAA Compliance [HIPAA Best Practices Download Included]

HIPAA Compliance Best Practice for Healthcare

A CISO’s most valuable tool, apart from their team, is their security program. These procedures govern an organization’s processes in order to protect its information, as well as computer systems, and assets. Potential threats are always looming, and the possibility of a breach by a hacker, theft of information, or system crash is always at the forefront of a CISO’s mind.

Often, the role of a CISO is about more than leading their team to develop strategies to prevent and mitigate threats. Legal compliance is also an issue. In the healthcare world, for instance, CISOs must take HIPAA requirements into consideration in order to protect patient information and remain within the letter of the law. Here are the important things every healthcare CISO should know the ins and outs of HIPAA.

What Organizations Must Be HIPAA Compliant?

HIPAA concerns about healthcare information security extend beyond just doctors’ offices and hospitals. In fact, any organization that handles or has access to protected healthcare information (PHI) must be fully HIPAA-compliant. Beyond healthcare providers such as doctors, hospitals, dentists, optometrists, pharmacies, nursing homes, and others, this includes a wide variety of other organizations.

Health insurance providers, for instance, must take HIPAA privacy and security rules into consideration. Healthcare clearinghouses also fall within the category of businesses that handle PHI. In addition to these, any vendors or subcontractors who work with any of the above organizations and have access to PHI must also follow HIPAA guidelines.

How Must PHI Be Protected?

A chief information security officer is responsible for ensuring that their organization develops and carries out procedures and programs to protect PHI. The organization is also responsible for documenting the procedures they’ve implemented in order to provide proof of compliance during HIPAA audits.

HIPAA governs PHI protection in many specific areas, including organizational requirements, security standards for the protection of electronic PHI, notification in case of a breach, and privacy of individually identifiable health information.

Start with a Checklist Approach

When an organization is new to applying HIPAA guidance, starting with a checklist-based approach is an efficient way to get the fundamental’s on where to begin. There are many HIPAA starter checklists available, but it’s up to the CISO to find and interpret them, as well as work with the organization to establish a way forward. Once agreed upon, they should review these requirements (all of which are mandatory) and develop an approach that enables their organization to achieve and maintain compliance. This approach may include items such as standards pertaining to the HIPAA Security Rule that includes all safeguards needed to protect electronic PHI both in the organization’s system and as it’s being sent to a third party. This often will also include information about the HIPAA Privacy Rule and will detail when/how PHI can be disclosed. Examples of other items on the list are procedures covering HIPAA’s Breach Notification Rule and its Enforcement Rule, among others. The most important item on any HIPAA checklist will be the implantation of a security risk management program.

Mature to Risk Based Approach

At the core of HIPAA guidance is a direction for an organization to use a risk-based approach in making its decisions about how to adequately protect PHI. So start with a checklist to get acquainted on how to move forward, but then ensure that you implement a security risk management program to get you over the finish line. In many instances, this will save you time as you can use risk analysis as a valid way to demonstrate why you do or don’t need to implement safeguards, as well as the degree of complexity in the implementation.

Employees and Third Parties

Each organization that’s covered under HIPAA requirements must ensure that its employees are all following the proper procedures in order to avoid a breach. It’s also the covered organization’s responsibility to make certain that all third parties with which it works (subcontractors and vendors, for instance) that have access to PHI are HIPAA-compliant. This compliance must be documented in writing.

It’s the healthcare organization’s responsibility to be certain that all of its employees and third-party connections are maintaining and documenting procedures that comply with all of the various HIPAA requirements. At the end of the day, however, it’s the organization’s CISO who is supremely responsible to develop the strategy and implement the education and training necessary to make all of this happen.

Download the Top 3 HIPAA Compliance Best Practices White Paper:

Top 3 HIPAA Best Practices

Building a comprehensive information security program from scratch can be complex. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

CISO | Top Roles & Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles & Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles and Responsibilities 

Many people mistakenly think a CISO (Chief Information Security Officer) is simply head of technical security operations – sort of an IT manager – and that’s the extent of their role. The truth is that while CISOs must be tech-savvy, their responsibilities demand much more. They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

Legal Compliance Translator

A CISO’s duties are about more than simply eliminating threats that could be dangerous or inconvenient for the organization itself. They’re also charged with ensuring that the organization is in compliance with legal requirements that internal counsel or compliance deem applicable to the environment. Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information

Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information is PCI-compliant, a CISO is key in keeping an organization from unintentionally running afoul of the law.

Ever-Alert for Security Threats

Part of a CISO’s responsibilities are building a team that will help assess existing threats, as well as identify potential new ones. This will help them determine what steps need to be taken to prevent data breaches, theft, viruses, and other threats to an organization’s assets, as well as employee and client information.

Effective Communicator Between IT Operations and Leadership

It’s key that a CISO has excellent communication skills. One of their biggest roles will be as a liaison between the technical operations side of the organization and the leaders who steer the business itself. When a CISO identifies an investment needs to be made in order to prevent a threat, it’s important that they be able to effectively communicate – in business terms – how this threat may affect the big picture and the organization’s bottom line.

Often, business leaders don’t know technical-speak and often IT specialists in an organization don’t know how to address the business side of things. A CISO must be able to move fluidly between the two worlds and speak both languages.

Help Train Employees and Implement Policies

Threat-reduction strategies are only effective if they’re put into consistent use. In order for this to happen, a CISO needs the entire team on board. This means all employees will need to help implement policies that will reduce threats and improve security. It could mean properly password-protecting their work laptops if they remove them from the office, or knowing what patient information is protected under medical privacy laws. A CISO will be tasked with helping all employees clearly understand why certain policies are in place, as well as helping to train them in information security and to use any new software or devices that are necessary to ensure security and legal compliance.

How Does an Information Security Program Support a CISO with Their Role & Responsibilities?

An information security program involves layers of procedures and policies that are put into place to protect an organization from various security threats. Rather than playing catch up after a data disaster has already occurred, security programs are designed to mitigate threats before they become real problems.

A CISO can’t design and implement an information security program alone. Rather, they need their entire team to work together – from the members of the CISO’s security group and the business leadership who design and approve procedures and policies to employees who work to adhere to them for the benefit and well-being of the organization.

Building a comprehensive information security program from scratch can be complex. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

Download CISO's Checklist