You are here

10 Questions to Ask Yourself About Your IT Security Program

Organizations of all sizes face an ever-increasing need to handle cybersecurity threats, and many are only just beginning to implement a formalized security and compliance program.  But while there may be recognition of the danger and a will to address it, many smaller organizations don’t have the in-house expertise to implement an information security program.  An effective information security program goes far beyond simply having anti-virus software and strong passwords; ideally, it’s a fundamental integration of security considerations into your management of technology, processes, and people.

If that sounds daunting, you’re not alone.  But every organization who intends to get serious about security has to start somewhere.  These 10 simple questions will lead you to a strong foundation for an information security function that can grow with your organization.

#1 – Have you assigned responsibility and accountability for it security and data privacy? 

Someone should be designated as the IT Security Officer (ISO), and there should be senior management oversight for the function.

#2 – Have you identified all regulations and standards that apply to you?

A sampling of standards includes: Sarbanes Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Massachusetts Privacy Law (201 C.M.R. 17), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI-DSS).

#3 – Have you documented information security policies and procedures?

Comprehensive security policies and procedures define goals for the organization and provide a blueprint for meeting these goals.

#4 – How do you monitor your systems and applications to prevent breaches or fraud?

A process for regularly reviewing application logs and system activity reports will allow you to identify suspicious or anomalous actions and investigate them.  Network intrusion detection systems will also alert you when an external attacker is attempting to breach your systems.

#5 – Do you have an incident response plan to handle a security or data breach?

A detailed plan will help you manage containment, investigation, legal actions, and public relations during an emergency situation. Use of this plan will allow you to act quickly and with confidence during a situation when every minute counts.

#6 – What is your patch management strategy?

Is it thorough and comprehensive for all systems in use? An effective patch management process allows the organization to protect itself from newly-discovered threats and vulnerabilities, both internal and external.  The process should cover all software in use and should be deployed to all systems.

#7 – Do you perform security due dilligence on new vendors, and periodically monitor them?

Reviewing the security controls in place at your vendors gives insight as to whether your data will be adequately protected by them. If gaps are found, action can be taken to correct them before any damage is done.

#8 – Have you identified all sensitive data that you maintain and ensured that it is adequately protected?

The organization should identify which types of data are considered sensitive or confidential, where the data is stored (whether electronic or hardcopy), and the adequacy of controls protecting the data.

#9 – Have you identified all critical, high-risk technology systems?

A basic IT risk assessment will help evaluate your security control efforts and focus your resources on the high-risk areas.

#10 – Do you provide employees with security training and methods to counter social engineering?

The most common security breaches result from employees accidentally divulging sensitive information.  Attackers utilize social engineering techniques to target your employees rather than your systems.  Continual security awareness training and testing is the most effective way to protect your organization.

When designing and implementing an information security program, be sure that you have accounted for each of these items.  Over time the program can grow as complex as needed, but these items will set you on the right path.  A strong information security program provides a strategic roadmap for your organization’s safe and secure growth.

If you have any questions on this topic, please contact Ryan J. Rodrigue, CISA, CISSP, Senior IT Assurance Manager, at 617-428-5443 or