How to start with an Information Security Program?

Question

I am a software tester, InfoSec is mostly tangential to my job, and people only ask me questions about InfoSec because I am not afraid to use Google or Stack Exchange when I don't know something. (which is most of the time)

Our US operations manager wants to have a conversation with me to learn more about Information Security. He got an email from a prospect in the financial sector that includes this section:

(a) ACME will ensure its information security program (“Info Security Program”) is designed and implemented, and during the term of this Agreement will continue to be designed and implemented, to: (1) reasonably and adequately mitigate any risks identified by either of the parties related to the Software and Services, and the protection of Customer Confidential Information disclosed to ACME or ACME Personnel, and (2) describe and report on its own risk assessments, risk management, control, and training of ACME Personnel in compliance with the Info Security Program, security oversight regarding ACME Personnel, and the process for the annual certification of the Info Security Program. ACME will safeguard against the destruction, loss, alteration, or unauthorized disclosure of or access to Customer Confidential Information in the possession of ACME Personnel, including through the use of encryption while transmitted or in transport, or while being stored, processed or managed on ACME equipment when such encryption required by Law, is advised by industry standards for similar products or services, or is required in an Transaction Document (collectively, the “Data Safeguards”). ACME will ensure that the Info Security Program is materially equivalent to Customer’s own information security standards in place from time to time applicable to the risks presented by the Products or Services (collectively the “IS Standards”). The parties may redefine the term “IS Standards” to mean any industry-recognized standard or testing protocol (e.g., NIST, ISO 27001/27002 or SSAE, AT101), if expressly set forth in an SOW.

This language is so scary that I first pooped in my pants, and then created a security.stackexchange.com account to ask for advice because I don't even know where to start. We are a small software company (less than 40 people) that is fortunate enough to have some commercial success, and we're not careless about security, but we don't have any formal Information Security Program (yet).

Some questions:

• Can someone please translate the above quote into common English?
• I read something about annual certification, would it be ok to say that our company should make use of a third party security auditor and let them tell us what we should do?
• Who within our organisation would typically be responsible for implementing an Information Security Program?
• I am thinking about recommending to buy ISO27001 (I mean the actual PDF file that contains the text of that standard, which can be purchased for 166 Swiss Franks from the iso.org store), but who should read it? (related to the previous question)

Background information:

• We collect typical CRM information to be able to send invoices.
• We do not collect sensitive information, like data about the users/customers of our customers.
• Our support team may ask sample data for troubleshooting purposes, and will always ask for "dummy" or sanitized data that reproduces the issue at hand.

This question is not a duplicate of How to communicate how secure your system is to your employer's clients. That posts is about how to communicate to customers - we already know that because the customer already told us which kind of communication they want - they mentioned a SOC Type 1 Report. It is also not a duplicate of How to get top management support for security projects? because management support is easy in our case: get security certified or miss out on big contracts.

Answer 1

I'll give it a shot.

In a nutshell, the language is CYA in case you get breached or hacked and have access to their data, they can tell their customers "Acme said they had a security program and was protected so this is their fault".

In that case if you end up being the cause of them losing data, they can blame you.

That being said, its pretty standard contract language when companies are partnering or sharing data. Mostly its a "Due Diligence" type artifact.

Regarding your questions:

Can someone please translate the above quote into common English?

Basically you need to have documented security policies/procedures. Within those documents you should state what you do to maintain systems and ensure that adequate security is provided. You should also try and address actual procedures that touch on security related subjects (access control, auditing, monitoring, incident response, etc.). You may already cover some of this in your normal Standard Operating Procedures (SOP) and you can reference those documents. When you create a new user or change groups/roles, are there written procedures for how to to it? Is there someone who approves that change? Those are the kinds of things that should be addressed. When they aren't written down, people don't have references for how to do them and they take liberties which may introduce security vulnerabilities.

I read something about annual certification, would it be ok to say that our company should make use of a third party security auditor and let them tell us what we should do?

This is the route a lot of organizations take, but security is definitely not something that should be reviewed "annually". It is an ongoing, forever process that should be integrated into your daily operations. That being said, a third party group can perform an "audit" that serves as your annual certification. The result of that will be a report that you can used to fix deficiencies and enhance your security posture. Highly recommend this, no matter how mature your security program is. The first few times you go through it, use different vendors so that you can compare the results. The quality of these types of assessments varies GREATLY.

Who within our organisation would typically be responsible for implementing an Information Security Program?

They go by many names, but the ultimate responsibility of security will lie with the system owner. That could be your CEO, the program manager, or in larger organizations an ISSO or Information System Security Officer. In smaller organizations, it usually falls to a Product or IT Manager. Hiring a consultant to help start this process may be a good idea at this stage. You're only going to see these requirements more often as you start working/partnering with large enterprises.

I am thinking about recommending to buy ISO27001, but who should read it? (related to the previous question)

What exactly are you considering buying? ISO27001 is a security compliance framework that provides a direction for securing your assets/enterprise and as far as I know you shouldn't have to pay for anything upfront unless its a service or product. Choosing a compliance framework to base your program off of is a great first step in establishing a security program. I would personally recommend ISO or NIST as they are large international/national standards and have a lot of overlap with other compliance frameworks (PCI, HIPAA, etc.). That being said, I have no idea what your goals are so you'll have to do some research and choose what's best for your organization.

I've written a lot of documentation and done a lot of security control testing so I may be opinionated at this point, but if you have additional questions, feel free to PM me. Good luck!

Answer 2

Legal and contractual language is always complex and some times daunting to read that is why we sometimes gloss over the terms and conditions pages of products

For your question of where to begin

Here are few links from standard resources like NIST, SANS and ISACA each of these institute has a rich history in dealing with many facets of information security

SANS link:-

https://www.sans.org/reading-room/whitepapers/hsoffice/designing-implementing-effective-information-security-program-protecting-data-assets-of-1398

ISACA link:-

https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Critical-Elements-of-Information-Security-Program-Success.aspx

Now regarding the section of mail you referred to

I assumed your organization’s name is ACME

You will make sure of the following .

1. You have your own Information Security Program designed and implement it and during the agreement period you will use it to prevent and reduce any risks identified either by your team or the customer`s team for any softwares or services.

2. You will also protect customer confidential data that is given to your company or your employees.

For example :- In case of U.S it is prohibited by law to release an individual`s health records or his Social Security Number without his or her permission.

3. You will make a detailed report the following

• Risk Assessment : - Identify potential risks to services and operation • Risk Management :- Suggests and implement methods to avoid or reduce the impact of identified risks • Establish control flow :- This deals with establishing and maintaining chain of command in case of an risk event in order to continue critical services without interruptions • Training :- To train all the related employees on safe and secure practices to handle data and also highlight best practices

Also establish a proper feedback mechanism to ensure the employees also play a part in establishing these practices. It pays a lot in the long run.

4. You will protect the data from loss, destruction and alteration and prevent accidental disclosure of sensitive data.

5. You will use encryption services to achieve this when the data is being stored in an u.s.b or while the data is being in use as this is mandated by government.

6. You will also ensure that your security standards are at same level as that of your client`s for risks listed by any international standards like NIST or ISO (They are organizations that define what are the standard practices )if they are written down in your SOW.

Now coming to your question about certification I suggest two levels of auditing , one would be your internal team this gives your organization a chance to address security issues particular to your company and a third party auditor is always advisable as it boosts customer satisfaction .

And regarding who is responsible typically it would be the CISO i.e the Chief Information Security Officer. And at the project level it would be the Project manager and the dedicated security team.

Also once again I would iterate that it would be the users of that data who should be primarily careful about how they are handling it .

On the same note I would like to point out that any type of data can be classified as sensitive i.e there are wide variety of them like in case you mentioned that the prospective client is from financial sector then the term sensitive data might comprise of business transaction details or a deal value which might not seem valuable from a standard hacker point of view but would be very critical for your clients competitors.

Unfortunately I have little to no knowledge on your final query but I would suggest extensive market research before buying one as the standards might vary slightly if not substantially .

Answer 3

I responded to a lot of these. One thing jumps out:

ACME will ensure that the Info Security Program is materially equivalent to Customer’s own information security standards in place from time to time applicable to the risks presented by the Products or Services (collectively the “IS Standards”).

Get the customer's information security standards. Go over it line-by-line and note what can't apply to your organization.

Second thing... You likely do have an information security program, it's probably just informal. Your developers have passwords, you have an SDLC, you use change management, code review, you VPN into the office, you do background checks on employees, you ensure contractors don't use stolen code or pirated software, no shared passwords, you have AV on workstations, etc, etc.

Formalizing what you have and seeing if it lines up with what the customer is asking for might be all they need. You need buy-in from your executive of course and they may need to fund you if customers have specific asks (intrusion prevention, vulnerability scanning etc).

Also remember that their only alternative here is to go to your competition. If your competition has amazing infosec and a discount price, then you might have a problem, but chances are, they're in a similar spot, so don't worry about being perfect, just do as much as you can and try to improve the situation.

This will happen again, and again and again, customer after customer. Hopefully you'll get an infosec person by then.

ISO 27001 is a very lightweight document and takes a lot of experience to understand and interpret. I don't think it will help much. NIST and PCI might be more useful at this stage, but that's my opinion.

Answer 4

If you're going to begin a Security Program, you'll need to define the scope of the program. It's probably best to begin with a limited scope so you're working with something manageable. The scope could be the development and deployment cycle, system hardening and configuration management, user management, vulnerability and security testing program etc. Starting with a small scope allows you to learn and makes the end-goal achievable.

Each of the above domains have industry standard processes and controls which should be in place and you'll find these in each of the NIST CyberSecurity Framework, SANS Critical Security Controls, PCI DSS, ISO etc. If you're going to align to an industry standard, you'll need to choose one. Each of those I refer to are internationally recognised. I'd suggest the NIST Cyber Security Framework as it is well presented and digestible. You can also prioritise implementation according to high-level categories and it's simple to audit against.

Reading your question again, I'd suggest reviewing requirement 6 of the PCI DSS, specifically 6.3, 6.5 and 6.6. As a development house, these are the exact industry standards you'd at least be expected to have in place - i.e. secure development, developer training, code review, knowledge of OWASP vulnerabilities and ability to mitigate through defensive coding, use of appropriate libraries, systems configuration etc.

From an audit perspective, you need to document what you do (or should do) and ensure controls and processes are aligned with your documentation - if these don't sync up there's a problem.

Answer 5

Setting up an entire Info Sec program is a huge undertaking, and may be a case of trying to bite off more than you can chew. I would suggest seeking out the assistance of a CISSP to help guide you through setting up an effective info security program.

There are many facets to standing up a successful program, and at least you already know that you don't know them all. That's why I think you need someone who does understand the importance of establishing a complete security policy, and how to use it to drive standards across your organization.

Internally, to get it going, you will need someone responsible for organizing the efforts, and someone with enough authority to ensure that the developers are actually following policy. Depending on other contractual requirements (PCI DSS, for example) you might also be asked to perform audits of the software development processes, provide evidence of up-to-date security devices, maps of your networks and firewalls, secure encryption key management practices, etc.

A professional can at least help you navigate these complex waters, and perhaps provide a better estimate of what it will actually cost your company to get it going to the point where you're at least compliant with the terms of the contracts you seek.

Answer 6

I was once tasked to give an estimate on the feasibility of doing ISO 27001 for our company (1-10 employees). No idea about the other certificates, but I'd assume they are not so much different.

Even for a smallish company it is a lot of work. Actually it gets better the bigger you are (and the more homogenous your IT is) Let me summarize the general process:

To begin with, what you need to do is to compile a list of your complete inventory, your employees, your processes ... et cetera.

There are numerous free/commercial tools to aid here. One examplary tool is Verinice, There used to exist something called GSTOOL by german BSI, now discontinued, but they have a nice list of available alternatives here: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/GSTOOL/AndereTools/anderetools_node.html.

When this list (in reality more like a graph) is completed, you need to go through the list of items, and depending what exactly that item is, the standard will provide you with a checklist of issues. Again, you will have to work through each of these checkpoints and give an estimate:

• Are safeguards in place?
• Can we ignore this due to whatever reason?
• What would the scope of damage be?
• ...

In the end, this will likely leave you with a number of critical weak points which are too bad to ignore, you can then begin to fix. Even if not going for the full certification, the whole process is definitly an eye-opener. Finally, to receive a certification, an external auditor will see through your estimates and make sure they are valid.

Verinice used to be free and just downloading and playing around gives you a very good idea of how it "works" in reality, there is much more to it than what could possible fit into this answer.