5 Tips for Creating an Information Security Program That Works

Information Security Program. These can be three frightening words in an institution which takes a reactionary approach to their program. Especially when they are coming from an auditor or regulator who is again telling them what their program is missing. But a well-developed information security program will help you sleep well at night.

This week, we take a look at five tips that can help transform a reactive program to a proactive program. 

1. Choose a framework. Cybersecurity frameworks are designed to help walk a company through all of the questions they need to ask to design their security program. Not using a framework as the starting point can result in security gaps that become apparent later on. The simple choice for financial institutions is to use the FFIEC framework, as it is the framework that regulators know best.
   
   However, FFIEC may not be the best framework for institutions that are more technically advanced, as it is an older framework created before cloud computing. Increasingly, more advanced institutions are turning to the National Institute of Standards and Technology (NIST) framework, as it is more current in advanced technologies. Institutions which choose NIST or any other non-FFIEC framework should always ensure that areas which FFIEC focuses more on (such as vendor management) are included in their program.

2. Assess and prioritize gaps. Financial institutions are in the business of managing risk, but when it comes to cybersecurity we often think we need to eliminate all risk. We address this issue in a previous article “If Everything is Important, Then Nothing Is”. Perform a risk assessment using the framework, document the gaps, and prioritize based on which represent the largest risks in the institution.

3. Document controls that mitigate risks. The written program should document a summary of the controls that eliminate or mitigate significant risks in each area of the framework. If a procedure is in place as part of the control, identifying the procedure helps anyone working with the program to find details easily if they need to.

4. Document monitoring responsibilities. Any critical controls which are dependent on procedures or systems to be effective should include a monitoring function, where somebody outside of the process periodically verifies that it is working as stated. Consider including the party responsible for monitoring and the frequency of monitoring in the program.

5. Create a training program for your Board of Directors. A well written information security program can instill confidence in your Board that significant cybersecurity risks are properly mitigated. But the Board needs to be made aware and have an understanding of the controls in the plan for this to occur. Create a training program to make sure that your Board is able to confidently state that the institution does everything it can to secure information. (If you aren't sure how to get this started on your own, check out our CySPOT™ Board Cyber Module for more help.)

We help financial institutions of all sizes and complexities build and improve their information security programs. Our services range from just helping in the places needed most to completely leading information security programs. This allows financial institutions to get the expertise they need at prices that fit their budget. 

To get started on your own, take advantage of some of our free tools like our Information Security Program (ISP) Tasklist, to manage responsibilities and deadlines all in one place, or our CySPOT Health Index™ to get a clear picture of just how your ISP is doing.

Additional Resources:

• Resolving to Update Your Information Security Program
• Recent Information Security Projects and Key Takeaways

To get helpful tips and stay up to date on the latest cybersecurity trends sign up for our newsletter below!

Sign up for our weekly newsletter