Developing & Implementing Information Security Program

The interconnected ‘remote’ world is rife with opportunities for perpetrators to commit heinous cybercrimes that include stealing, manipulating, or destroying critical data.

According to a recent survey by Fortinet, a cybersecurity solutions provider, two-thirds of organizations say they’ve been targeted in at least one ransomware attack.

The National Law Review, citing technology website Bleeping Computer and a security researcher DarkTracer, concluded that since 2019, 34 ransomware groups have leaked data stolen from 2,103 organizations.

As bad actors become increasingly ingenious at devising new attacks and avoiding detection, the average cost of cybercrime rises accordingly. This way, in 2021, the average cost of a data breach has risen from $3.86 to $4.24 million dollars, according to IBM.

Yet, the majority of companies still don’t have proper cyber security procedures and prevention strategies. A staggering 56% of organizations don’t have a cyber incident response plan, while only 32% of the remaining 44% actually think the response plan they do have is effective.

Cyber attack statistics

Thankfully, cybersecurity is slowly gaining traction: as regulatory bodies continue to issue and improve cybersecurity compliance guidelines, businesses have started requiring their partners and vendors to adopt risk mitigating procedures and cybersecurity protocols to keep data they share safe.

There’s only one way to protect a business against cyberattackers.

That is to develop and implement a data protection and information security program.

Information Security Program Definition

An information security program is a set of activities, projects, and initiatives that support a company’s information technology framework and help you accomplish information-related business objectives.

Constructing an effective program involves identifying information security goals and overriding requirements that your company has to meet to safeguard its security systems.

Information security policy needs to cover every aspect of your organization, including hardware, software, and access controls and has to be revised and updated regularly to keep up with ever-evolving threats and changing developments in legislation and compliance.

While formats may vary, an information security program will typically outline the following aspects:

  • your company's objectives,
  • steps to ensure those objectives are met,
  • roles and responsibilities,
  • assets to manage and control,
  • people responsible for managing and controlling those assets.

Information Security Program Goals

An information security objective will define the goals of the information security program, including the purpose of the assets and a plan to ensure those assets are protected.

As security objectives typically align with the overall business objectives, the program includes the budget, the scope of work, and stakeholders’ approval.

Apart from safeguarding business assets and critical data, some sub-objectives can outline the following intentions:

  • To keep the information confidential by protecting it from unauthorized access;
  • To ensure reliability and accuracy of information by protecting it from modification without consent;
  • To ensure access to information is restricted on a need basis, subject to roles and responsibilities of an interested party

Cyber Security Program Benefits

There are plenty of benefits to having a formally defined information security program, such as:

  • It safeguards your business assets, employees, and customers from potential security and data breach threats;
  • It increases productivity as effective cyber security eliminates or greatly decreases instances of virus-infiltrated systems;
  • It inspires customer confidence and ensures them their personal data will not be compromised;
  • It ensures business continuity as the program tackles prevention, backup, and recovery procedures in case the unforeseen happens.

Information Security Program Description

Depending on business goals and assets at your disposal, there might be several contingent elements to your information security program.

Before drafting, however, it’s essential to determine the current state of security in your organization.

A risk assessment and security audits shall provide a clear understanding of the status quo with its existing vulnerabilities.

A gap analysis determines the difference between the current and desired states of affairs and facilitates a security strategy to achieve the required results.

Drafting a roadmap helps to promote the development and implementation of the security program. The roadmap typically includes the people, the processes, the technology, and other important resources to achieve the desired state.

Essentially, the program should go beyond assessing risks and offering a handful of solutions, it needs to proactively target potential threats and safeguard existing systems through diverse projects.

In the following section, we’ll look at information security program elements in more detail.

Information Security Program Components

Here’s the detailed overview of the essential components that should be included in an information security program:

  1. Policies, compliance standards, procedures, and security guidelines are central to the development and implementation of an information security system. These could be industry-recognized standards such as COBIT, NIST, PCI DSS, ISO, etc.
  2. A security architecture, including people, processes, technologies, for the effective management of the program and complexity that might arise during its implementation.
  3. Definition, description, and classification of security assets that highlights its sensitivity and importance.
  4. A risk management process with risk identification, evaluation, treatment, and business impact analysis.
  5. Incident response procedures.
  6. Security awareness training activities.
  7. Roles and responsibilities of a security team and its involvement in the software development lifecycle.
  8. Definition, description, and monitoring procedures of critical security KPIs.

Information Security Program Framework

HIPPA, PCI DSS, GDPR, Sarbanes-Oxley, NIST, and other standards greatly increase the complexity of IT security; yet they are fundamental to establishing a cybersecurity program of your own.

While standards are like recipes that prescribe the lists of steps to take to ensure your systems are protected, regulations, in turn, have a legally binding impact. Failure to comply with regulations can result in financial penalties and litigation, Amazon's $886 million fine being a recent example.

An IT security framework is a series of documented processes that describe policies and procedures for the implementation and management of information security controls. These frameworks help IT professionals accomplish several objectives, such as:

  1. to define and prioritize the tasks required to manage enterprise security,
  2. to prepare for compliance and IT audits,
  3. to adhere to industry-specific requirements and different regulatory compliance goals,
  4. to solve specific information security problems.

The choice to use a specific IT framework depends on several factors and is primarily driven by the type and industry of an organization. This way, publicly traded companies may use COBIT to comply with Sarbanes-Oxley, online merchants – PCI DSS, healthcare companies – HITRUST, and so on.

IT security standards and frameworks
ISO 27000 Series The ISO 27000 was developed by the International Organization for Standardization as a flexible information security framework that’s suitable for any type of business. The ISO 27000 Series has 60 standards covering a broad range of information security issues, such

as cloud computing, collection and protection of digital evidence, IT disaster recovery, storage security, and so on. Two primary standards, ISO 27001 and 27002, establish the requirements for the development of an information security management system.  

NIST Standards The NIST framework is a set of guidelines from the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. NIST has developed an extensive library of IT standards, such as NIST SP 800-53, SP 800-171, CSF, SP 1800 Series. According to the NIST website, more than half of all organizations in the U.S. are using the NIST Cybersecurity Framework which integrates the best practices with important industry standards.
COBIT COBIT is a framework created by Information Systems Audit and Control Association (ISACA) for information technology management and IT governance. As with ISO, COBIT can be applied to any organization in any industry. COBIT is the most used framework to achieve Sarbanes-Oxley compliance.
CIS Controls The Center for Internet Security (CIS) Critical Security Controls lists technical security and operational controls that can be applied to any environment. Unlike NIST, CIS doesn’t address risk analysis and assessment but instead focuses solely on reducing risk while increasing overall system resilience
HITRUST Common Security Framework The Health Information Trust Alliance (HITRUST) Common Security Framework includes risk analysis and management frameworks and operational requirements that can be applied to any organization including healthcare.
GDPR The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the European Economic Area. GDPR is also a framework of security requirements that organizations need to implement to safeguard the privacy and security of the personal information of EU citizens.
COSO The 'Committee of Sponsoring Organizations of the Treadway Commission' or COSO is a joint initiative of five private sector organizations to combat corporate fraud. COSO’s 2013 framework covers internal controls, while its 2017 edition covers risk management.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS)  is an information security standard for organizations that handle credit card information. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
Table: Examples of IT security standards and frameworks

Information Security Program Lifecycle

Your organization’s information security program shall be based on a lifecycle of continuous improvement as depicted in the following diagram:

Information Security Program Lifecycle

At the development stage, you should plan what policies are required and what they must contain. First, policies are drafted by the Information Security Working Group. Next, those policies are reviewed, commented on, and edited by the Information Security Committee. Once the editing has been finished, the policies move on further for formal approval by the Board of Directors.

At the adoption stage, your company needs to plan how best to adopt and implement those policies. Typically, the adoption stage includes the drafting of a few more documents that outline the information security program activities, procedures for gap assessment, communication plans of the proposed changes, and detailed development and implementation plans.

The information security program implementation stage consists of the execution of the plans that have been developed during the adoption stage. At the end of the implementation stage, documentation should be prepared to ensure that the controls and processes are continuously managed in compliance with the developed policies and their objectives.

At the management stage, you should ensure that your company manages and reinforces compliance, which includes a consistent review of information security program audits and the holding of information security committees.

At the assessment stage, policies should be consistently (at least annually) reviewed to ensure they are still relevant, and if they are not, updated accordingly.

Information Security Program KPIs

Cybersecurity KPIs are integral to a formal assessment of your information security program. Security metrics ensure your organization achieves the business objectives outlined in your information security program, give you opportunities to evaluate your security performance against industry benchmarks, and help you demonstrate the efficacy of the program to your company’s stakeholders.

Below are a few common security metrics that you can track to ensure the adequacy and effectiveness of your information security program:

  • Non-human traffic (NHT) is a type of traffic made up of visits to a website that don't involve a human.
  • Unidentified devices on the internal network include any devices that are not registered on the network. Since these devices might be insecure, they can pose a significant risk to an organization and therefore, should be closely monitored.
  • Intrusion attempts are instances where malicious actors tried to breach a company's network.
  • Mean Time Between Failures (MTBF) measures the average time that the system operates without stoppages.
  • Mean Time to Detect (MTTD) measures the average time it takes to detect a security threat.
  • Mean Time to Acknowledge (MTTA) measures the average time it takes to begin working on an issue after receiving an alert.
  • Mean Time to Contain (MTTC) measures the average time it takes to contain identified attack vectors.
  • Mean Time to Resolve (MTTR) measures the average time it takes to respond to a threat once a company is aware of it.
  • Mean Time to Recovery (MTTR) measures the average time it takes to recover from a product or system failure.
  • Days to patch measures the average time it takes to implement security patches.
  • Number of cybersecurity incidents reported.
  • Cost per incident measures the cost to respond to and resolve an attack (includes staff overtime, investigation costs, employee productivity loss, among other direct or indirect expenses).
  • Security posture score that gives an organization a grade on security categories including network security, DNS health, cubit score, endpoint security, IP reputation, web application security, social engineering, patching cadence, leaked credentials, and so on. An overall security score helps to understand how a company performs against others in the industry.
  • Phishing attack success is the percentage of phishing emails opened by employees.
  • Virus infection monitoring measures how often a company's antivirus software scans common applications for known malware.
  • Access management ensures only accredited and approved people have administrative access.
  • Security Policy compliance that ensures the careful tracking and documenting of exceptions, configurations, and compliance controls.
  • Cybersecurity awareness training.

Virto Commerce eCommerce Platform as a Secure eCommerce Solution

If you’re operating an online business, you need to make sure that the platform you use is robust, secure, and provides all the necessary access and management controls to ensure the security of your sensitive information. Virto Commerce B2B ecommerce platform comes with an out-of-the-box Corporate Account Management module and has the necessary permission and access management controls. Moreover, it’s PCI DSS compliant which ensures that the credit and debit card information your company handles is compliant with cybersecurity industry standards, and is therefore secure and protected against bad actors. In its latest release, Virto added the anonymous data flow which ensures that any customer who asks you to delete their information will have their wish granted in accordance with the GDPR. Moreover, the Virto Commerce ecommerce platform is based on the latest Microsoft technologies that ensure the ultimate protection of your business as a whole.


What is an information security assessment?

An IT security assessment is a detailed study aimed at locating security vulnerabilities and potential risks to security systems that include but are not limited to the identification of vulnerabilities that can be exploited by cybercriminals and potential mistakes that an employee can make.

What is an information security program audit?

An information security audit is a systematic and measurable assessment aimed at determining how well an organization employs and maintains its security programs and policies.

What is an Information Security Program Charter?

An Information Security Program Charter is an essential document that defines the scope and goals of an information security program, as well as establishes functions, and authorizes people described under each function to execute the terms of the program.

What are some popular information security program courses?

Among the most popular and industry-recognized information security program courses are the following cybersecurity certifications CISSP, CISA, CISM, Security+, CEH, and GSEC.

What is an information security program document?

An information security program document is a formal document that provides an overview of security requirements and describes the management and common controls to meet those requirements. An information security documentation is a set of an organization's cyber security policies, procedures, guidelines, standards, effective security management practices and controls.

Schedule a quick demo

Marina Vorontsova
Marina Vorontsova
linkedin icon Technical author and eCommerce advocate