No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program by information security professionals.
Think you don’t have anything of value to protect? Think again. The key asset that a security program helps to protect is your data and the value of your business is in its data. You already know this if your company is one of many whose data management is dictated by governmental and other regulations for example, how you manage customer credit card data. If your data management practices are not already covered by regulations, consider the value of the following:
Product information, including designs, plans, patent applications, source code, and drawings.
Financial information, including market assessments and your company’s own financial records.
Customer information, including confidential information you hold on behalf of customers or clients.
Elements of a good security program
The key components of a good security program are outlined in the following sections.
1. Designated security officer
For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement.
2. Risk assessment
This component identifies and assesses the risks that your security program intends to manage. The risks that are covered in your assessment might include one or more of the following:
Physical loss of data.
Unauthorized access to your own data and client or customer data.
Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.
Your data in someone else’s hands. Do you share your data with third parties, including contractors, partners, or your sales channel? What protects your data while it is in their hands?
3. Policies and Procedures
The policies and procedures component is the place where you get to decide what to do about them.
4. Organizational security awareness
The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs. Don’t overlook it in yours.
5. Regulatory standards compliance
In addition to complying with your own security program, your company may also need to comply with one or more standards defined by external parties. This component of your security plan defines what those standards are and how you will comply.