No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program by information security professionals.
Whether yours is five or 200 pages long, the process of creating a security program will make you think holistically about your organization’s security.
A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.
Think you don’t have anything of value to protect? Think again. The key asset that a security program helps to protect is your data – and the value of your business is in its data.
You already know this if your company is one of many whose data management is dictated by governmental and other regulations — for example, how you manage customer credit card data (PCI Compliance) or even how you handle sensitive patient information (HIPAA). If your data management practices are not already covered by regulations, consider the value of the following:
Product information, including designs, plans, patent applications, source code, and drawings.
Financial information, including market assessments and your company’s own financial records.
Customer information, including confidential information you hold on behalf of customers or clients.
Protecting your data means protecting its confidentiality, integrity, and availability. Also known as the C-I-A triangle. The consequences of a failure to protect all three of these aspects include business losses, legal liability, and loss of company goodwill. Consider the following examples:
Failure to protect your data’s confidentiality might result in customer credit card numbers being stolen, with legal consequences and a loss of goodwill. Lose your clients’ confidential information and you may have fewer of them in the future.
A data integrity failure might result in a Trojan horse being planted in your software, allowing an intruder to pass your corporate secrets on to your competitors. If an integrity failure affects your accounting records, you may no longer really know your company’s true financial status.
Having a security program means that you’ve taken steps to mitigate the risk of losing data in any one of a variety of ways, and have defined a life cycle for managing the security of information and technology within your organization.
Hopefully the program is complete enough, and your implementation of the program is faithful enough, that you don’t have to experience a business loss resulting from a security incident. If you have a security program and you do experience a loss that has legal consequences, your written program can be used as evidence that you were diligent in protecting your data and following industry best practices.
Getting started in the right direction
It doesn’t matter whether your security program is five pages or 200 pages long. The important thing is that you have a security program and that you use it to address your company’s security in an organized, comprehensive, and holistic way. You can adapt the above elements to create a security program for your organization, or, if you need help, give us a call at (734) 457-5000.
Everyone needs to have a security program because it helps you maintain your focus on IT security. It helps you identify and stay in compliance with the regulations that affect how you manage your data. It keeps you on the right footing with your clients and your customers so that you meet both your legal and contractual obligations. Its life cycle process ensures that security is continuously adapting to your organization and the ever-changing IT environment we live in. And, of course, it’s the right thing to do because protecting your data’s security is the same as protecting your most important asset.
(Image Source: iCLIPART)