Information Security Outsourcing | [White Paper Included]

Information Security Outsourcing | [White Paper Included]

How Can Information Security Outsourcing Benefit CISOs?

It doesn’t matter if an organization specializes in healthcare, retail sales, or widget manufacturing: every organization needs a comprehensive information security program in order to secure its information from theft, loss, breaches, and other threats.

Unfortunately, because of the limited number of available dedicated resources with the requisite skills to build a security program, coupled with the swelling demand for them, has created a situation where needed resources are often spread thin. This is why a growing number of CISOs and specialized information security firms look into outsourcing these critical information security services.

The Benefits of Information Security Outsourcing

One of the biggest benefits of outsourcing information security is that it provides an organization the ability to focus on their core business, rather than attempting to become part-time security experts or spend the money to employ them full-time.

Information systems have become increasingly complex, requiring an ever-expansive amount of specialized knowledge to know when something has gone awry and the system isn’t functioning securely. One of the advantages of outsourcing information security is the benefit of in-depth knowledge from experts who are experienced in their specific fields, from setting up firewalls to monitoring various events and calling attention to any issues that arise.

Outsourcing means that the organization doesn’t need to take on additional full-time employees, which can be an expensive endeavor. In addition to paying security employees’ salaries, an organization will also foot the bill for training, as well as all of the technology and equipment necessary to keep operations safe and up-to-date.

Work with Information Security Experts

Working with a third party to provide comprehensive security risk management programs ensures that an organization has access to specialists in a variety of information security fields:

Security Program Assessment and Roadmap Development: Experts in this field will draw on their expertise to assess an organization’s current security program and create a strategic plan to mitigate risks and protect data.

Security Policy and Process Development: Creating an effective security policy means knowing how to craft well-defined rules and a clear process that must be followed in order to keep an organization’s systems and data secure.

Risk Management Program Development: It’s key for an organization to constantly monitor and identify ongoing and potential risks in order to assess them, document them, and immediately take appropriate action.

Progress Dashboard and Board-Level Reporting: An important part of every information security program is being able to effectively communicate valuable information to the rest of the organization, including its leadership. That’s why a progress dashboard is important, as it provides a quick and easy-to-understand view of the current state of the organization’s security, as well as any potential threats.

It’s also key that this information be reported to the board in language that they can understand and in a way that will motivate them to take the steps necessary to ensure the highest levels of security.

Security Architecture Program Development: The experts in charge of this field will work to create an overall design of the organization’s security infrastructure that will connect the various components into one cohesive unit. It’s only through working as one that the various areas can avoid security pitfalls.

Quite often, these security experts will be available 24/7 to quickly take the appropriate action in the event of any sort of breach or emergency.

Building a comprehensive information security program from scratch can be complex and time-consuming, which is why so many CISOs are choosing to outsource information security. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

Download White Paper | Options & Budget for Building a Security Program

Information Security Architecture | Suite of Preventive & Detective Safeguards

Information Security Architecture | Suite of Preventive & Detective Safeguards

What is an Information Security Architecture?

An information security architecture program is associated with the management and effectivity of the suite of preventive and detective safeguards as a whole within an environment.

The goal of information security architecture program is to ensure that all of the security technologies implemented within the environment work together to meet organizational goals. This also often includes understanding the assets and associated data that live within an environment, and then measurement and management of the safeguards that protect those elements.

Common Information Security Architecture Elements:

Data Map – This diagram illustrates where all of the information and assets are located within an organization.

Information Security Architecture Diagram – Illustrates where preventive and detective safeguards are located within an environment.

Information Security Architecture Program Charter- Illustrates the mission and mandate, roles and responsibilities and objectives of the information security architecture program.

Process Documentation- Every process area associated with an information security architecture mgmt. should have defined roles and responsibilities, business rules and associated tools for each process.

Associated Role- The information security architecture program is often managed by the information security architect.

Associated Functions

Information security architecture management is generally comprised of the following functions:

Mgmt. Of Data & Asset Map – It is hard to have an effective security architecture if you do not understand what the architecture is protecting. This function understands, categorizes and documents where information and assets are located within the environment.

Documentation of Information Security Architecture – This is the visual presentation of the preventive and detective security safeguards within the environment.

Global Safeguards Responsibilities – It is common for the information security architecture to have either operational or oversight responsibilities over safeguards that are global in nature. Some examples would be associated with Identity Mgmt., Application Development, or logging and monitoring, though there can be others with varying levels of responsibility and accountability for the information security architecture program.

Measurement of Information Security Architecture Effectiveness- These are processes for managing the effectiveness and susceptibility of implemented safeguards within the environment.

Information Security Architecture Communication & Consulting- Since an effective information security architecture includes safeguards implemented across an entire business, this function is designed to support communication and interaction with all areas of the business.

Development & Mgmt. of Information Security Architecture Roadmap- As an organization changes, so will the requirements for an effective information security architecture to protect it.

Building a comprehensive information security program from scratch can be complex and time-consuming, which is why so many CISOs are choosing to outsource information security. That’s why CIOSHARE strives to help businesses build information security programs that work. Contact us today in order to get started.

 

Contact Us Today!

Survey | Do you Have a Security Program and How do you measure it?

Survey | Do you Have a Security Program and How do you measure it?

How do you measure your security program?

We’d love to get your feedback!

Take this 3 min survey.
The goal is to understand how organizations are measuring their security program today and how they want to measure it moving forward. The CISOSHARE team needs your support to find new ways to serve and educate our clients.

We will provide the results of the survey once it is closed.
Create your own user feedback survey

The Healthcare CISO’s Best Practice to HIPAA Compliance [HIPAA Best Practices Download Included]

The Healthcare CISO’s Best Practice to HIPAA Compliance [HIPAA Best Practices Download Included]

HIPAA Compliance Best Practice for Healthcare

A CISO’s most valuable tool, apart from their team, is their security program. These procedures govern an organization’s processes in order to protect its information, as well as computer systems, and assets. Potential threats are always looming, and the possibility of a breach by a hacker, theft of information, or system crash is always at the forefront of a CISO’s mind.

Often, the role of a CISO is about more than leading their team to develop strategies to prevent and mitigate threats. Legal compliance is also an issue. In the healthcare world, for instance, CISOs must take HIPAA requirements into consideration in order to protect patient information and remain within the letter of the law. Here are the important things every healthcare CISO should know the ins and outs of HIPAA.

What Organizations Must Be HIPAA Compliant?

HIPAA concerns about healthcare information security extend beyond just doctors’ offices and hospitals. In fact, any organization that handles or has access to protected healthcare information (PHI) must be fully HIPAA-compliant. Beyond healthcare providers such as doctors, hospitals, dentists, optometrists, pharmacies, nursing homes, and others, this includes a wide variety of other organizations.

Health insurance providers, for instance, must take HIPAA privacy and security rules into consideration. Healthcare clearinghouses also fall within the category of businesses that handle PHI. In addition to these, any vendors or subcontractors who work with any of the above organizations and have access to PHI must also follow HIPAA guidelines.

How Must PHI Be Protected?

A chief information security officer is responsible for ensuring that their organization develops and carries out procedures and programs to protect PHI. The organization is also responsible for documenting the procedures they’ve implemented in order to provide proof of compliance during HIPAA audits.

HIPAA governs PHI protection in many specific areas, including organizational requirements, security standards for the protection of electronic PHI, notification in case of a breach, and privacy of individually identifiable health information.

Start with a Checklist Approach

When an organization is new to applying HIPAA guidance, starting with a checklist-based approach is an efficient way to get the fundamental’s on where to begin. There are many HIPAA starter checklists available, but it’s up to the CISO to find and interpret them, as well as work with the organization to establish a way forward. Once agreed upon, they should review these requirements (all of which are mandatory) and develop an approach that enables their organization to achieve and maintain compliance. This approach may include items such as standards pertaining to the HIPAA Security Rule that includes all safeguards needed to protect electronic PHI both in the organization’s system and as it’s being sent to a third party. This often will also include information about the HIPAA Privacy Rule and will detail when/how PHI can be disclosed. Examples of other items on the list are procedures covering HIPAA’s Breach Notification Rule and its Enforcement Rule, among others. The most important item on any HIPAA checklist will be the implantation of a security risk management program.

Mature to Risk Based Approach

At the core of HIPAA guidance is a direction for an organization to use a risk-based approach in making its decisions about how to adequately protect PHI. So start with a checklist to get acquainted on how to move forward, but then ensure that you implement a security risk management program to get you over the finish line. In many instances, this will save you time as you can use risk analysis as a valid way to demonstrate why you do or don’t need to implement safeguards, as well as the degree of complexity in the implementation.

Employees and Third Parties

Each organization that’s covered under HIPAA requirements must ensure that its employees are all following the proper procedures in order to avoid a breach. It’s also the covered organization’s responsibility to make certain that all third parties with which it works (subcontractors and vendors, for instance) that have access to PHI are HIPAA-compliant. This compliance must be documented in writing.

It’s the healthcare organization’s responsibility to be certain that all of its employees and third-party connections are maintaining and documenting procedures that comply with all of the various HIPAA requirements. At the end of the day, however, it’s the organization’s CISO who is supremely responsible to develop the strategy and implement the education and training necessary to make all of this happen.

Download the Top 3 HIPAA Compliance Best Practices White Paper:

Top 3 HIPAA Best Practices

Building a comprehensive information security program from scratch can be complex. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

CISO | Top Roles & Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles & Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles and Responsibilities 

Many people mistakenly think a CISO (Chief Information Security Officer) is simply head of technical security operations – sort of an IT manager – and that’s the extent of their role. The truth is that while CISOs must be tech-savvy, their responsibilities demand much more. They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

Legal Compliance Translator

A CISO’s duties are about more than simply eliminating threats that could be dangerous or inconvenient for the organization itself. They’re also charged with ensuring that the organization is in compliance with legal requirements that internal counsel or compliance deem applicable to the environment. Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information

Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information is PCI-compliant, a CISO is key in keeping an organization from unintentionally running afoul of the law.

Ever-Alert for Security Threats

Part of a CISO’s responsibilities are building a team that will help assess existing threats, as well as identify potential new ones. This will help them determine what steps need to be taken to prevent data breaches, theft, viruses, and other threats to an organization’s assets, as well as employee and client information.

Effective Communicator Between IT Operations and Leadership

It’s key that a CISO has excellent communication skills. One of their biggest roles will be as a liaison between the technical operations side of the organization and the leaders who steer the business itself. When a CISO identifies an investment needs to be made in order to prevent a threat, it’s important that they be able to effectively communicate – in business terms – how this threat may affect the big picture and the organization’s bottom line.

Often, business leaders don’t know technical-speak and often IT specialists in an organization don’t know how to address the business side of things. A CISO must be able to move fluidly between the two worlds and speak both languages.

Help Train Employees and Implement Policies

Threat-reduction strategies are only effective if they’re put into consistent use. In order for this to happen, a CISO needs the entire team on board. This means all employees will need to help implement policies that will reduce threats and improve security. It could mean properly password-protecting their work laptops if they remove them from the office, or knowing what patient information is protected under medical privacy laws. A CISO will be tasked with helping all employees clearly understand why certain policies are in place, as well as helping to train them in information security and to use any new software or devices that are necessary to ensure security and legal compliance.

How Does an Information Security Program Support a CISO with Their Role & Responsibilities?

An information security program involves layers of procedures and policies that are put into place to protect an organization from various security threats. Rather than playing catch up after a data disaster has already occurred, security programs are designed to mitigate threats before they become real problems.

A CISO can’t design and implement an information security program alone. Rather, they need their entire team to work together – from the members of the CISO’s security group and the business leadership who design and approve procedures and policies to employees who work to adhere to them for the benefit and well-being of the organization.

Building a comprehensive information security program from scratch can be complex. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

Download CISO's Checklist

CISOs | Best Practices to Understand, Communicate and Make Informed Decisions

CISOs | Best Practices to Understand, Communicate and Make Informed Decisions

CISOs | Guide to Informed Decision Making and Moving it Forward

As the lead protector of information security within an organization, a chief information security officer (CISO) must understand the risks that exist, as well as be able to clearly communicate those risks and possible solutions to the organization’s leadership. In addition to this, they have to be able to make informed decisions about what risks demand attention and the best strategies to mitigate those risks.

A security program is the key to helping a CISO, and the organization itself make informed decisions.

What is a Security Program?

A security program involves a set of policies and procedures that are put in place to protect data, measurement processes to understand risk and the impact to organization’s assets from various threats, communications, systems, and remediation activities. Members of an organization’s security group are in charge of implementing these procedures and the effectiveness of this overall system.

If the CISO is the general of this information security army, the rest of the team are like soldiers who each have various roles. First, the security architect works as a kind of lieutenant, managing preventative and detective informational safeguards and ensuring that they all work together like a well-oiled machine.

Meanwhile, the security engineer is responsible for managing specific preventative and detective technologies within the organization. Finally, the security analyst does research into the performance of current security and measurement processes in order to determine results, as well as any changes that need to be made.

Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program

How Does a Security Program Help a CISO Understand Risks?

Protecting an organization’s data is about more than simply stopping threats against attackers. It’s about protecting the organization’s clients, as well as their employees. A strategically-designed security program will do more than simply stop threats; it will also help an information security officer better understand and anticipate new ones in order to prevent those from occurring.

A security program will provide a look into an organization’s processes and show areas where non-compliance to certain requirements can result in data breaches or other risks. This could be anything from employees failing to properly secure information on their laptops while traveling on business or staff not understanding how to safely handle credit card numbers while using the organization’s point-of-sale system.

Download: Best Practices and the Top Steps that Every CISO Should Follow 

Excellent Communication Across the Organization

Once a CISO is able to make an informed decision about what threats deem attention, as well as the best way to combat them, the work isn’t over. CISOs have to then act as a business advisor to the organization’s executives, educating them so that they can make informed decisions about where to best deploy organizational resources and funding. This advice may be showing the value of purchasing the appropriate security products or implementing measures to ensure that potential security threats do not become a reality.

This communication flow is only made possible with an effective security program in place. It is the system that will ensure that both the CISO and organizational stakeholders are always working with the best possible information in any given situation.

From Education to Implementation

A strategically-designed security program is much more than IT putting software in place to keep information in and hackers out. It’s an intricate system that identifies potential threats, measures them, and then support the analysis, decision making and implementation of remediation to reduce them when it makes sense. By using this system, a CISO will be able to properly understand risks and communicate to the rest of the company so that everyone can work together to respond to those threats in an appropriate manner. Organizational leaders benefit by getting effective and appropriate information along the way to make informed decisions, as well as the most cost-effective implementation of those decisions once made.

If your organization isn’t sure where to start with building a security program, contact CISOSHARE to find out how to get started. We have been helping organizations build security programs to protect data and organization’s assets for over 20 years.

For more Information Security Content Please Feel Free to Download From a List of White Papers or Contact our Information Security Experts
Download Here

What Security Assessment Framework Is Best For Your Organization?

What Security Assessment Framework Is Best For Your Organization?

How to Choose a Security Assessment Framework | SOC vs ISO vs HITRUST CSF

The most important thing that should drive which framework you select is to always begin by understanding your internal business objectives for information security and then to select the framework that best supports this objective.

While this is what you should do, many times organizations go with a particular framework because a client or partner or external assessor tells them they should. THIS IS A BIG MISTAKE.

How Security Assessment Frameworks Support Objectives

Common objectives for an organization with the frameworks that work best for each approach. This list is not comprehensive but should give you an idea on how frameworks support objectives.

We want a framework to use as a benchmark to see how our current security program stacks up

I like to use a combination of the ISO 27001 standard as well as NIST 800-53 as a starting point to get a good set of safeguards that you can compare your environment against.

If you are in healthcare, you can also use the Hitrust framework, but I think this is overkill, especially if you do not have an established benchmark, to begin with.

We want to impress our customers with security

Many times people think ISO 27001 certification or some other certification framework will do this. The thing that people forget is that these programs take years to get thru all of the certification steps. It also takes a great deal of resources to get thru the certification red tape; an effort that helps with certification but not actually increases security. For most organizations, you are better served to focus on just implementing a true security program that aligns to ISO but does not focus on the certification elements. I have also written some other suggestions on quick things any organization can do that will make your organization appear more secure to customers to also help in this area.

We are a service provider that must demonstrate our service is secure

In these situations, if your service is critical to your customers (ie. A data center, process financial transactions for customers, etc), a SOC assessment process might be the way forward. In these situations, you have to be in the core value chain for another business, which should be fairly easy to determine.

Be aware, many organizations are requesting their customers to get SOC audits and remediation without justification in my opinion. Don’t fall into this trap if you don’t have to.

We process, store or transmit credit cards on behalf of people or customers

You should align to the Payment Card Industry (PCI) guidance.

We want to certify our security effort

Again, I ask, why do you want to do this? In my opinion, there is no correlation between increased security and certification.

However, if your organization aligns to ISO in other areas of the business, ISO 27001 probably makes the most sense. In healthcare, HiTrust is available but I really think it is overkill in almost every situation I have seen it applied. 

We want to make informed decisions about information security to protect our business

This is the methodology we teach at CISOSHARE. If you can make informed business decisions, you will always be best situated to implement an informed approach. It is also important to note you can align to other frameworks, even certify, but still not have this most critical capability.

If you have any questions, connect with us and let us know how we can help you move your Security Program forward.

Security Policy | Top 5 Tips for Implementing a New Security Policy

Security Policy | Top 5 Tips for Implementing a New Security Policy

Considerations to Keep in Mind When Implementing New Security Policies

Any time you implement a new security policy into an environment you are implementing change. Change can have positive effects, but there are often very specific considerations when producing a new security policy that can be the difference between a policy that meets business needs and one does not. Here are the top tips:

Top 5 Tips When Implementing New Security Policy: 

Tip #1: Publish Your Security Policy – Many times people spend most of their policy development efforts on building the security policies. But people forget to make them available so people know what they are. It is even worse when you punish someone for not following a policy that is unavailable.

I was recently on a vacation where the resort implemented a policy to claim items left on a lounge chair to prevent people from reserving the best chairs while not there. Good idea for the late sleepers, but the resort just took people’s stuff and then left a note that said they were claiming according to published policy. Great, but the policy was not published anywhere. For us early risers that work on the lounge chairs in the am, we got to watch person after person get infuriated as they found their notes.

security policy

Tip #2: Ensure Security Policy Instruction is Clear- The verbiage in a security policy needs to be clear, and also must be in the language of the audience. Do not use acronyms that people will not understand, nor terms that are undefined unless they are totally defined. Most important, I generally leave all security nomenclature out of my security policies, unless the terms are strictly defined.

Tip #3: Understand Outlier Situations – There are always wacky people in your organization that will work outside the normal working conditions, which is normal for them but may break policy. The funny thing is that these people are often abnormal in a good way. The top producers, the most creative, THE MOST IMPORTANT TO YOUR ORGANIZATION. Ensure that your security policies consider these people and situations in their application.

Tip #4: Understand Security Policy Liability- Make sure you think out the liability in your security policies. If you set direction to inspect every bag that comes into your building. Ok, but think thru what happens if your team breaks something while doing it.

Tip #5: Match the “Why” with Application – There should be a very clear reason why you have a specific security policy. Further, once implemented, you need to measure if the application of your security policy, in the end, addresses the why. Simple exercise, but very powerful and often forgotten.

If you have any questions or need help with your Security Policy, connect with us!

Security Program | Start of Security Program Development Content at RSA

Security Program | Start of Security Program Development Content at RSA

RSA Conference Starting to Acknowledge Security Program Development

Thank you, RSA! It started in 2014 when a Security Strategy track was added to the agenda, one that was defined as a covering security program development issues. This year, it actually is going to the next level, though, as there are actually a couple sessions that talk about security program development. I am going to count this as a huge win…

I love the RSA Conference. Heck, I served on the program committee for 3 years and have given 5 talks at the show over the years. The team that organizes it are passionate about making a difference and work real hard.  I was excited when I reviewed the tracks this year, as well as some security program development specific content because I firmly believe there is a relationship between a limited focus on security program development at the show and organizations still really struggling at security.

RSA Conference: Shining a Light on Security Program Development 

My specialty is and always has been security program development, even when I was on the program committee through 2013. Back then, this niche discipline was an outlier in terms of finding a conference track. So they always stuck us in either the Professional Development Track, where we talked about the skills needed to be a CISO, or in Governance, Risk & Compliance Track, where we talked about how to certify to a framework like ISO27001 or something like that. Neither of these are security program development, not in 2012 or today. Further, it has not been RSA conference’s fault, they simply organize the tracks based on what people ask for. My hypothesis is people don’t ask because they don’t understand what a true security program is, as well as why they need it.

Security Program Development the Niche art of Building Repeatable Systems

Security program development is the niche art of helping organizations build repeatable systems for managing information security within their organization. Functionally, it helps an organization establish a benchmark for security, implement and perform processes for measuring against that benchmark, the ability to give this information to management. to support the ability to make informed decisions, and the ability to support the implementation of those decisions once made. 

I am biased no doubt, but in my travels, most organizations are really struggling with implementing functionally healthy security programs, even when they may be ISO 27001 Compliant, spend a ton on information security or have big teams. I firmly believe that until organizations focus on building healthy security programs, the attacks and mess we are in will continue.

Maybe this is the birth of a much needed dedicated track of security program development at the conference.

If you have any questions around Security Program Development we are here to help

Security Program | Overview of a Security Program and the Team that Leads it

Security Program | Overview of a Security Program and the Team that Leads it

 What is a Security Program?

A security program is a system for protecting the confidentiality, integrity, and availability of information within a business.

If you were to walk into an organization and ask “Where is the information security program?” you would most likely get this answer… It is the group within the organization that is charged with the task of managing security, but who are they exactly?

Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program

Who in the Organization is the Security Program led by?

In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the manager deputy director, director or vice president of information security.

Documentation a Security Program Produces

The most common known documentation of a security program is represented in the suite of security policy documentation and the security program charter.

The security program charter, describes the mission and mandate of the security group, while the security policy documentation policies describe the rules of the road for the organization as it relates to information security.

Structural Makeup of the Security Program

This describes the way in which the group is organized. It can be one group for the organization, multiple groups per business unit or something in between.

Functional Capability of Health Security Program

Any healthy security program must be able to do 4 things:

  1. Sets a benchmark for security
  2. Ability to measure against a benchmark
  3. Enables management decisions
  4. Supports execution of those decisions
Management of Security Architecture

The security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards.)

A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure that they are appropriate for the environment.

If you have any questions, connect with one of our Information Security Program Experts.

Connect With Us