Skip to main content


{Article} How to Truly Manage Your Information Security Program

{Article} How to Truly Manage Your Information Security Program

Download Article

In today’s busy world, the easiest thing to do when it comes to your Information Security Program (ISP) is to focus solely on compliance. Ok, well, it might not be that easy to put together an Information Security Program that meets the bare minimum standards for your industry, but only meeting the ISP basics sure feels much easier than spending your time building an ISP that truly demonstrates how your organization manages information and cybersecurity. But it doesn’t have to be that way. In fact, if you want to meet regulatory compliance AND create an ISP that helps you make better decisions, you must start with the basics.

Your Information Security Program = More Than Checking the Box

ChecklistAn Information Security Program is intended to show examiners, auditors, and senior management how you are truly managing information and cyber security at your organization. Simply putting together documentation based on regulatory guidance or best-practices doesn’t mean you’re actively managing information and cybersecurity at your organization; you’re simply checking the box. To break through the checkbox mentality, your ISP should follow these three critical components, in order:

  1. Start with your IT Risk Assessment. The IT Risk Assessment must help you truly understand the risk around your IT systems and assets, then help you make decisions.
  2. You must then document the decisions you made in your IT Risk Assessment in your Information Security Program to demonstrate how you’re protecting customer information and mitigating risk.
  3. Finally, you must then test your decisions through various audits. A standard IT Audit should test your ISP (governance). Test your technology via Penetration Testing and Vulnerability Assessments. Then be sure to test your people – which we all know is security’s weakest link – through Social Engineering Assessments, such as phishing testing or physical impersonation.

Those three (3) components are the foundation to a strong ISP that helps you to actually manage information and cybersecurity. However, to truly make your ISP work for you and help you make better decisions, we need to go one step further: documenting not only the risks you’re mitigating but also those you are accepting.

Know your Acceptable Risk

There is no such thing as 100% risk mitigation in the world of information security. Even if you were to achieve 100% risk mitigation by some standard, the risk is only mitigated until the next threat, technology, or vulnerability hits the market. Point of reference: nearly 15,000 vulnerabilities received a CVSS score in 2017 alone. That’s over 40 vulnerabilities disclosed per day. Knowing that you can’t mitigate 100% of all risks means that you must be willing to accept some level of risk to operate your business, unless you prefer to get rid of technology and the internet altogether.

AcceptableRiskOne of the biggest issues that organizations suffer today is a lack of known acceptable risks. Where does one even begin when identifying risks they have not mitigated? The good news is that if your organization is examined or regulated in any capacity, or if you simply believe in protecting your customer information in the first place, you should have plenty of opportunities to identify risk that you have not yet mitigated thanks to regular audits and testing.

Most organizations perform or contract for the performance of an IT Audit (testing your policy and governance), a Penetration Test and Vulnerability Assessment (testing your technology), and a Social Engineering Assessment (testing your people) at least annually. Those four assessments should identify numerous ways to improve your ISP, particularly if the entity responsible for the testing is looking to provide you with findings and recommendations that focus on the true risks to your organization.

If there are risks that you have identified that you know are unresolved or unmitigated, document those risks or ISP gaps, determine whether you will accept those risks (again, you can't mitigate 100% of the risk) or put together a plan to address the risk in the future. Not everything must be or can be resolved immediately. Document a formal work-plan to address all risks you plan to mitigate in the future, then assign responsibilities, completion dates, dollars, or other resources as necessary. Next, share these accepted risks and risks to-be-mitigated with Senior Management and the Board regularly, as well as progress on your work-plans to address these risks.

Here's the kicker: your known acceptable risks should be the first thing you share with auditors and regulators when they walk in the door.

You are probably thinking to yourself, “That’s crazy! Share my greatest weaknesses and dirty laundry with my examiners right away? That’s a formula for disaster!” But let me ask you this: what's the worst-case scenario? You get written-up for risks that you (and the top level of your organization, if you’re doing it right) are already aware of and have either accepted or plan to address in the future?

More likely, your auditor or regulator will see that you are actively managing your Information Security Program and risk. While you still may have findings or recommendations around those items, you will likely not be found significantly deficient in any reports, since you are working to address known issues.


Address Your Risk

Manage Your ISPThe bottom line is this: you cannot claim ignorance of risk. There is too much information, guidance, and intelligence-sharing going on to attempt the head-in-the-sand excuse. Sure, you may get away with sweeping a few things under the rug, depending on the auditor or examiner that shows up and their knowledge and experience. But in that case, you’re really just crossing your fingers and hoping that no one finds out there are things that can be improved to better protect your customer information and the organization as a whole. That’s not the way we as security professionals should be managing our Information Security Programs.

Truly managing your risk means that you know yourself, your organization, and your risk. Make sure there's a plan in place to address the known issues and risks, then present your known acceptable risks – and the plans you have to address these risks - to senior management, auditors, and examiners. Being honest with the risk is the best way to truly manage your Information Security Program.

Jon WaldmanWritten by: Jon Waldman

Partner, EVP of Information Security Consulting - SBS CyberSecurity, LLC


SBS Resources:

  • {Service} Cybersecurity Partnership: For over 12 years, SBS CyberSecurity has offered a service called our CyberSecurity Partnership (CSP) program, which is designed to help your organization build and manage an Information Security Program tailored to your organization. Our expertly trained Information Security Consultants work with over 130 organizations across the US, serving as our clients’ trusted cybersecurity advisor. The CyberSecurity Partnership is built to help your organization identify its true risk, manage and update your Information Security Program, provide training and education to all levels of your business, and keep you up-to-date to changing cybersecurity threats and regulation. The CSP program also features our TRAC risk management software, which is designed to help you manage and maintain all aspects of your ISP. If you need assistance building, updating, or maintaining your Information Security Program, we’ve got you covered.
  • {Webinar} Hacker Hour: Defining and Refining Your Information Security Program: A written Information Security Program is required for organizations that are subject to GLBA scrutiny, however, it is also the linchpin for ANY organization to successfully protect sensitive data. Join SBS as we discuss the key components of a strong Information Security Program and explore the issues organizations have in designing and maintaining their program. We will also have a conversation about if and where Virtual CISO services could fit into your business. 
  • {Blog} How Do You Mature Your Information Security Program in 2018?: What does your Information Security Program need to look like for 2018? Over the last two years, updated guidance in Bank regulations and the Cybersecurity Assessment Tool updates are moving us to tangible improvements in securing our information. For many years, we implemented check-box regulatory items (often based on exam results) and thought to ourselves “why is this necessary?” We are now seeing why and how the updated regulation is making a big difference in securing the information in our Banks. So, what should we look for in 2018 that will continue to help improve our Information Security Programs?
  • {CyberByte Video} Information Security Program: Managing an Information Security Program (ISP) is an ongoing, dynamic process because risk is always changing. Your program demonstrates how well you are managing information security to examiners, auditors, and upper-level management. Watch this CyberByte for an overview of how a layered approach is key to a successful ISP.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager Professional   

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, February 23, 2018
Categories: Blog