Strategic Information Security

Inside:

• Information security resolutions for the new year
• CISSP Training Program
• What we do

January Newsletter

Share this article

A Business New Year’s Resolution

It’s the time of year for New Year’s resolutions. Certainly, we all have areas in which we want to improve. How about areas of your business? One area of business where there is often plenty of room for improvement is information security. When managed effectively, information security can be a tremendous value to any organization.

So, why not make a business New Year’s resolution for information security improvement and stick to it?

Information Security Improvement

It doesn’t matter if you’re a large enterprise with millions of dollars in your information security budget, or if you’re a two-employee company with no budget; there is always room for improvement. What are some areas where you should improve your information security this year?

Some areas of improvement to consider:

• Policies – Policies provide the rules and boundaries to your information security efforts, and are critical to success. Don’t assume that everyone knows what they should do to protect your critical information, state it plainly in policy.
• Training & Awareness – Technology isn’t the most significant risk to your information, its people. The people you trust the most are the very same people who can do the most damage; often times accidentally.
• Assessment – Take the time to understand what your risks are before spending thousands of dollars to remediate them. Approaching risks blindly is ineffective and costly. How well do you build something without first determining what you will build, where and with what?
• Mobile Device Management – The past few years have brought an explosion in mobile device usage, and the amount of information leaving the office in employee pockets might scare you. Understand this risk, and do something about it.
• Incident Management – You’ve heard the old saying “it’s not a matter of if, but when”. Be prepared for an information security incident. A poor response can cost more the original incident itself.

Take a look at your organization and come up with a list of four or five information security improvements that fit you best.

Stick to It

Once you have identified some areas of information security that you should (will) improve upon in 2012, resolve to stick to it!

According to statistics, only 20% of people who set out with a New Year’s resolution actually stick to it. Don’t let information security fall victim to these same statistics. Turn your New Year’s resolution into yearlong results by implementing these simple principles:

• Commit – Just like anything worthwhile, information security requires a commitment and it requires a commitment from the top. Company executives must be familiar with their roles and responsibilities in respect to information security, and set the standards.
• Document – Documentation provides direction, reference, and proof. Direction for everyone to get on the same page, reference for measurement and enforcement, and proof of due care and due diligence. For some; if it’s not documented, it doesn’t exist.
• Measure – Measure how well you are doing in what you set out to do. If you wanted to lose weight, wouldn’t you check the scale every once in a while?
• Review – As your organization changes, so should your efforts to protect the information your organization relies on. Things that are not regularly reviewed and updated and bound to die and fail.

So, look around and be honest with yourself. Do you have areas of information security that need to improve? Make 2012 a year that you resolve to do just that!

Evan Francen is the president of FRSecure, a full-service information security consulting firm. FRSecure has helped hundreds of organizations by providing cost-effective strategies and solutions to secure today’s challenging business environment. For more information about FRSecure or FRSecure’s services, visit www.frsecure.com.

Share this article

Led by Evan Francen, FRSecure President and 20 year Information Security veteran, our training program is designed to not only help you prepare for the exam, but give you real world experience that you can put to use in your organization.

Our last class went 5 for 5 passing the exam on their first try!

If you are contemplating getting your CISSP certification, or if you have information security responsibilities, this class is for you.

Click here for more information or to register.

Share this article

Link to the story:

Chicago Tribune Article
 

Visit us at www.frsecure.com

Share this article

Monday the Minneapolis Star Tribune featured FRSecure in an article about vendor risk management.

 
Read the article here: http://www.startribune.com/business/132825938.html

 
Visit us at www.FRSecure.com

Share this article

Whenever we talk to a new company we ask questions about their current information security program. The responses we get fall into just a few buckets, and the bucket your program is in tells us immediately where we’re likely to find problems.

To get you thinking about your own program, here are the buckets:

Continue reading →

Share this article

Recently Evan Francen spoke at an iCPSI conference in Iowa, and got this question in front of 120 hospital administrators and staff from hospitals all over Iowa.
 

It’s an interesting question, and here’s our answer:
 

Of course you should hire us. It had to be said, so I got it out of the way early.
 

The real answer: It depends
 
As with any outsourcing question, it really comes down to a few things: a) Do you have the expertise internally, and b) which way is more cost effective. And, for information security, c) will you do it?
 

If you start with the end in mind, then the question becomes simpler. Ultimately what every business should have is an internally owned information security program. That means you have leadership buy-in, a driver (program manager), and a strategic program that fits your business.
 

As programs develop the need for independent, external review becomes apparent. Good program managers don’t believe they have everything perfect (because it’s not possible). They have appropriate controls in place and they know why, and they understand that someone from outside the forest needs to look at the trees occasionally.
 

We talk all the time about transferring knowledge to you, and this is why. Long term, we want you to own your program and have us review it occasionally to make sure things are going well.
 

So that’s the end goal. How you get there depends on where you’re starting from.

1. If you have no formal information security program, then you need to start one. It takes a manager that will drive initiatives and leadership buy-in that the program needs to be prioritized and budgeted for.
    

   This can be done internally, but if you are having trouble getting started, then a company like FRSecure can help. This doesn’t need to be a big money commitment. We can guide the effort and help leadership understand the importance. You can still do the work, but now you have a partner that you can turn to for direction.

2. If you know for sure there are holes, then the same guidelines apply. The caveat is that you should review progress in 6 months. If you haven’t made any progress (likely because you have other, higher priority efforts that need attention), then you may need someone like us to help drive the program forward. Again, it looks similar to the above example where you need leadership buy-in and a driver behind the program so that it can get prioritized.
3. If you have some controls in place, but it’s more reactionary than strategic, then a company like FRSecure can be of great value to you. By taking your program from reactionary to strategic you get a tremendous amount of return on security investments (ROSI).
4. If you feel like you have a fairly strong program, then it’s time for outside review. This isn’t our opinion, it’s simply an information security best practice to make sure you’re not too close to the trees to see the forest.

 
Ultimately your goal should be a solid, strategic program. That involves appropriate technical, administrative and physical controls, training and awareness, regular reviews that you conduct, and independent review every year or two. If you feel you can get to that point on your own, then go for it. We’re here to be a resource if you need to bounce ideas off someone who’s done it before.
 

FRSecure was founded because as Evan Francen was building his first information security programs he didn’t have anyone to help guide him, so inevitably mistakes were made. With twenty years of experience, dozens of security programs established and hundreds more assessed, FRSecure analysts have refined and streamlined the information security process. Without this sort of experience, most companies inadvertently choose to reinvent the security wheel and make the same mistakes as they build their program.
 

We truly thrive on seeing the “Ah-ha” moments our clients have when they start to really get what we’re talking about.
 
 
Visit us at www.FRSecure.com 

Share this article

This week Fairview announced yet another security breach affecting patient records. This breach happened through a third party vendor.

Read the article

There are two issues that this type of breach raises with business owners and leaders:

1. For vendors like Accretive Health, added scrutiny of information security occurs. This is still an immature process for most companies, so it will likely take the form of a questionnaire or a request for information on specific policies.
2. For business that share information with vendors, they question their own vendor risk management program, which they likely don’t have.

We can help in both cases.

For vendors of larger companies, we help by building a strategic IS program. We also help by being their IS interface to their customers and/or regulators. That way, if questions arise regarding their IS program we are there on their behalf.

For companies with vendors, we have a VRM program that we can implement at little or no cost to them.

Kevin Orth
korth@frsecure.com
952-442-1709 x11

Share this article