Home Virto Commerce blog Developing & Implementing Information Security Program

Developing & Implementing Information Security Program

Feb 1, 2022 • 10 min

The interconnected ‘remote’ world is rife with opportunities for perpetrators to commit heinous cybercrimes that include stealing, manipulating, or destroying critical data.

According to a recent by Fortinet, a cybersecurity solutions provider, two-thirds of organizations say they’ve been targeted in at least one ransomware attack.The National Law Review, citing technology website Bleeping Computer and a security researcher DarkTracer, concluded that since 2019, 34 ransomware groups have leaked data stolen from 2,103 organizations.

As bad actors become increasingly ingenious at devising new attacks and avoiding detection, the average cost of cybercrime rises accordingly. This way, in 2021, the average cost of a data breach has risen from $3.86 to $4.24 million dollars, according to IBM. Yet, the majority of companies still don’t have proper cyber security procedures and prevention strategies. A staggering of organizations don’t have a cyber incident response plan, while only 32% of the remaining 44% actually think the response plan they do have is effective.

Cyber attack statistics

Thankfully, cybersecurity is slowly gaining traction: as regulatory bodies continue to issue and improve cybersecurity compliance guidelines, businesses have started requiring their partners and vendors to adopt risk mitigating procedures and cybersecurity protocols to keep data they share safe. 

There’s only one way to protect a business against cyberattackers.

That is to develop and implement a data protection and information security program.

Information Security Program Definition

An information security program is a set of activities, projects, and initiatives that support a company’s information technology framework and help you accomplish information-related business objectives.

Constructing an effective program involves identifying information security goals and overriding requirements that your company has to meet to safeguard its security systems.

Information security policy needs to cover every aspect of your organization, including hardware, software, and access controls and has to be revised and updated regularly to keep up with ever-evolving threats and changing developments in legislation and compliance.

While formats may vary, an information security program will typically outline the following aspects:

  • your company's objectives,
  • steps to ensure those objectives are met,
  • roles and responsibilities,
  • assets to manage and control,
  • people responsible for managing and controlling those assets.

Information Security Program Goals

An information security objective will define the goals of the information security program, including the purpose of the assets and a plan to ensure those assets are protected.

As security objectives typically align with the overall business objectives, the program includes the budget, the scope of work, and stakeholders’ approval. 

Apart from safeguarding business assets and critical data, some sub-objectives can outline the following intentions:

  • To keep the information confidential by protecting it from unauthorized access;
  • To ensure reliability and accuracy of information by protecting it from modification without consent;
  • To ensure access to information is restricted on a need basis, subject to roles and responsibilities of an interested party

Cyber Security Program Benefits

There are plenty of benefits to having a formally defined information security program, such as:

  • It safeguards your business assets, employees, and customers from potential security and data breach threats;
  • It increases productivity as effective cyber security eliminates or greatly decreases instances of virus-infiltrated systems;
  • It inspires customer confidence and ensures them their personal data will not be compromised;
  • It ensures business continuity as the program tackles prevention, backup, and recovery procedures in case the unforeseen happens.

Information Security Program Description

Depending on business goals and assets at your disposal, there might be several contingent elements to your information security program.

Before drafting, however, it’s essential to determine the current state of security in your organization.

A risk assessment and security audits shall provide a clear understanding of the status quo with its existing vulnerabilities. A gap analysis determines the difference between the current and desired states of affairs and facilitates a security strategy to achieve the required results. Drafting a roadmap helps to promote the development and implementation of the security program. The roadmap typically includes the people, the processes, the technology, and other important resources to achieve the desired state. Essentially, the program should go beyond assessing risks and offering a handful of solutions, it needs to proactively target potential threats and safeguard existing systems through diverse projects. 

In the following section, we’ll look at information security program elements in more detail.

Information Security Program Components

Here’s the detailed overview of the essential components that should be included in an information security program:

  1. Policies, compliance standards, procedures, and security guidelines are central to the development and implementation of an information security system. These could be industry-recognized standards such as COBIT, NIST, PCI DSS, ISO, etc.
  2. A security architecture, including people, processes, technologies, for the effective management of the program and complexity that might arise during its implementation.
  3. Definition, description, and classification of security assets that highlights its sensitivity and importance.
  4. A risk management process with risk identification, evaluation, treatment, and business impact analysis.
  5. Incident response procedures.
  6. Security awareness training activities.
  7. Roles and responsibilities of a security team and its involvement in the software development lifecycle.
  8. Definition, description, and monitoring procedures of critical security KPIs.

Information Security Program Framework

HIPPA, PCI DSS, GDPR, Sarbanes-Oxley, NIST, and other standards greatly increase the complexity of IT security; yet they are fundamental to establishing a cybersecurity program of your own. 

While standards are like recipes that prescribe the lists of steps to take to ensure your systems are protected, regulations, in turn, have a legally binding impact. Failure to comply with regulations can result in financial penalties and litigation, Amazon's $886 million fine being a recent example.

An IT security framework is a series of documented processes that describe policies and procedures for the implementation and management of information security controls. These frameworks help IT professionals accomplish several objectives, such as:

  1. to define and prioritize the tasks required to manage enterprise security,
  2. to prepare for compliance and IT audits,
  3. to adhere to industry-specific requirements and different regulatory compliance goals,
  4. to solve specific information security problems.

The choice to use a specific IT framework depends on several factors and is primarily driven by the type and industry of an organization. This way, publicly traded companies may use COBIT to comply with Sarbanes-Oxley, online merchants – PCI DSS, healthcare companies – HITRUST, and so on.

IT security standards and frameworks
Description
ISO 27000 Series The ISO 27000 was developed by the International Organization for Standardization as a flexible information security framework that’s suitable for any type of business. The ISO 27000 Series has 60 standards covering a broad range of information security issues, such

as cloud computing, collection and protection of digital evidence, IT disaster recovery, storage security, and so on. Two primary standards, ISO 27001 and 27002, establish the requirements for the development of an information security management system.  

NIST Standards The NIST framework is a set of guidelines from the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. NIST has developed an extensive library of IT standards, such as NIST SP 800-53, SP 800-171, CSF, SP 1800 Series. According to the NIST website, more than half of all organizations in the U.S. are using the NIST Cybersecurity Framework which integrates the best practices with important industry standards.
COBIT COBIT is a framework created by Information Systems Audit and Control Association (ISACA) for information technology management and IT governance. As with ISO, COBIT can be applied to any organization in any industry. COBIT is the most used framework to achieve Sarbanes-Oxley compliance.
CIS Controls The Center for Internet Security (CIS) Critical Security Controls lists technical security and operational controls that can be applied to any environment. Unlike NIST, CIS doesn’t address risk analysis and assessment but instead focuses solely on reducing risk while increasing overall system resilience
HITRUST Common Security Framework The Health Information Trust Alliance (HITRUST) Common Security Framework includes risk analysis and management frameworks and operational requirements that can be applied to any organization including healthcare.
GDPR The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the European Economic Area. GDPR is also a framework of security requirements that organizations need to implement to safeguard the privacy and security of the personal information of EU citizens.
COSO The 'Committee of Sponsoring Organizations of the Treadway Commission' or COSO is a joint initiative of five private sector organizations to combat corporate fraud. COSO’s 2013 framework covers internal controls, while its 2017 edition covers risk management.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS)  is an information security standard for organizations that handle credit card information. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
Table: Examples of IT security standards and frameworks

Information Security Program Lifecycle

Your organization’s information security program shall be based on a lifecycle of continuous improvement as depicted in the following diagram:

Information Security Program Lifecycle

At the development stage, you should plan what policies are required and what they must contain. First, policies are drafted by the Information Security Working Group. Next, those policies are reviewed, commented on, and edited by the Information Security Committee. Once the editing has been finished, the policies move on further for formal approval by the Board of Directors.

At the adoption stage, your company needs to plan how best to adopt and implement those policies. Typically, the adoption stage includes the drafting of a few more documents that outline the information security program activities, procedures for gap assessment, communication plans of the proposed changes, and detailed development and implementation plans.

The information security program implementation stage consists of the execution of the plans that have been developed during the adoption stage. At the end of the implementation stage, documentation should be prepared to ensure that the controls and processes are continuously managed in compliance with the developed policies and their objectives.

At the management stage, you should ensure that your company manages and reinforces compliance, which includes a consistent review of information security program audits and the holding of information security committees.

At the assessment stage, policies should be consistently (at least annually) reviewed to ensure they are still relevant, and if they are not, updated accordingly.

Information Security Program KPIs

Cybersecurity KPIs are integral to a formal assessment of your information security program. Security metrics ensure your organization achieves the business objectives outlined in your information security program, give you opportunities to evaluate your security performance against industry benchmarks, and help you demonstrate the efficacy of the program to your company’s stakeholders.

Below are a few common security metrics that you can track to ensure the adequacy and effectiveness of your information security program:

  • Policies, compliance standards, procedures, and security guidelines are central to the development and implementation of an information security system. These could be industry-recognized standards such as COBIT, NIST, PCI DSS, ISO, etc.
  • A security architecture, including people, processes, technologies, for the effective management of the program and complexity that might arise during its implementation.
  • Definition, description, and classification of security assets that highlights its sensitivity and importance.
  • A risk management process with risk identification, evaluation, treatment, and business impact analysis.
  • Incident response procedures.
  • Security awareness training activities.
  • Roles and responsibilities of a security team and its involvement in the software development lifecycle.
  • Definition, description, and monitoring procedures of critical security KPIs.

Virto Commerce eCommerce Platform as a Secure eCommerce Solution

If you’re operating an online business, you need to make sure that the platform you use is robust, secure, and provides all the necessary access and management controls to ensure the security of your sensitive information. Virto Commerce B2B ecommerce platform comes with an out-of-the-box Corporate Account Management module and has the necessary permission and access management controls. Moreover, it’s PCI DSS compliant which ensures that the credit and debit card information your company handles is compliant with cybersecurity industry standards, and is therefore secure and protected against bad actors. In its latest release, Virto added the anonymous data flow which ensures that any customer who asks you to delete their information will have their wish granted in accordance with the GDPR. Moreover, the Virto Commerce ecommerce platform is based on the latest Microsoft technologies that ensure the ultimate protection of your business as a whole.

FAQ

Schedule a quick demo

You might also like...
Multi-Store eCommerce: The Ultimate Guide & Top Platforms in 2024 Multi-Store eCommerce: The Ultimate Guide & Top Platforms in 2024
 Mary Gabrielyan
Mary Gabrielyan
Mar 1, 2024 • 10 min
The Essentials of PunchOut Catalogs in B2B Ecommerce The Essentials of PunchOut Catalogs in B2B Ecommerce
 Oleg Zhuk
Oleg Zhuk
Feb 22, 2024 • 15 min
Understanding Serverless eCommerce Platforms: Complete Overview Understanding Serverless eCommerce Platforms: Complete Overview
 Oleg Zhuk
Oleg Zhuk
Jan 14, 2024 • 15 min
Copyright © 2024. All rights reserved.