Four Simple Steps to Create an Information Security Program


By Hanna Pickering | SE Virtual CIO

HPickering_sq web

Hanna Pickering

Many people think of an Information Security Program (ISP) as a collection of policy documents that state how an organization and its people will behave in order to comply with applicable regulations (such as HIPAA, GLBA, and FINRA). However, it’s no longer just about proper documentation, it also encompasses cybersecurity preparedness. To ensure your business is preparing responsibly, how do you know the statements your organization are making are true?

As a Virtual CIO for Systems Engineering, I am responsible for validating the statements my customers make in their ISP – and sometimes modifying those statements. A common scenario might include a program that states ‘the organization will run a user list report once a quarter.’ An easy way to comply is to do exactly that: run a report each quarter. With that being said, it’s not just about placing a ‘check’ on the checklist.

Here’s what I would suggest as a meaningful way to comply with your Information Security Program in four simple steps:

  • Scope: Does this just pertain to the file share/domain users or does it apply to any/all other systems used?
  • Ownership: Who ensures the reports are run timely and regularly? Who reads the reports and do they understand the objectives so they can spot and remediate a problem?
  • Value: What is the value of this effort? Does just running the report achieve what our customers and constituents would expect?
  • Follow-Through: How do we rewrite the policy so the effort is valuable? How do we change processes so problems don’t reoccur? Who is fixing any problems discovered?

Solid programs are supported by a qualified, responsible team that is well-practiced in their testing and remediation procedures. Even Albert Einstein seemed to advocate testing when he stated, “Truth is what stands the test of experience.”

Additional resources to reference on this topic are included below: