SlideShare a Scribd company logo

Create a Comprehensive InfoSec Plan in 9 Steps

S
SoniaCristina49

The document outlines a 9 step process for creating an information security plan: 1. Perform a regulatory review and landscape analysis. 2. Specify governance, oversight, and responsibility structures. 3. Take an inventory of organizational assets. 4. Classify data based on sensitivity. 5. Evaluate available security safeguards. 6. Perform a cyber risk assessment. 7. Perform a third party risk assessment of vendors. 8. Create an incident response plan. 9. Provide ongoing training and testing of employees.

Technology
1 of 13
Download to read offline
© Eze Castle Integration | 1 9 Steps to Create an Information Security Plan
© Eze Castle Integration | 2 Table of Contents 1. Regulatory Review and Landscape 2. Governance, Oversight, Responsibility 3. Take Asset Inventory ……….. 4. Data Classification and Protection 5. Evaluating Available Security Safeguards 6. Perform a Cyber Risk Assessment 7. Perform a 3rd Party Risk Assessment 8. Create an Incident Response Plan 9. Training and Testing Employees Step Step Step Step Step Step Step Step Step ………………………………………………………………………3 ………………………………………………….…………..4 ……..………………………………………………………………….……….5 ………………………………………………………………………6 . ………………………………….……………………….7 ….……………………………………………………………………8 .………………………………………….………………………9 …….……………………………………………………………….10 …………………………………………………………………………11
© Eze Castle Integration | 3 In today's changing regulatory and investor landscape, Information Security Plans are critical for firms to comply with Securities and Exchange Commission (SEC) regulations, due diligence requests and state laws in addition to increasingly more common and more sophisticated cybersecurity threats. To preface, it is important to know what an Information Security Plan is and why your firm needs one. An information security plan is documentation of a firm’s plan and systems put in place to protect personal information and sensitive company data. This data can include anything from investor information and data to employees’ personal information. Having an information security plan can mitigate threats and risks against your organization and its data, help your firm protect the integrity, confidentiality, and availability of the data, and provides processes so your firm will know what to do if a data breach or incident were to happen. Aside from protecting the integrity of your data and keeping it confidential, there are other legal reasons to have an Information Security Plan in place. As previously mentioned, any firm that is registered with the SEC is required to have one in place. There may be other state or industry specific regulations your firm must adhere to as well. This is why the first step in creating an Information Security Plan is performing a Regulatory Review and Landscape. Overview
© Eze Castle Integration | 4 Step 1: Perform a Regulatory Review and Landscape The first step to creating an Information Security Plan is to perform a Regulatory Review as all businesses have requirements coming from oversight bodies including: • International Bodies, such as the EU General Data Protection Regulation (GDPR) • Federal Agencies, such as the Securities Exchange Commission (SEC) and Financial Services Authority (FSA) • State Agencies, such as MA’s PII Regulation (201 CMR 17.00) • Industry Oversight, such as FINRA and National Futures Association (NFA) There are also self-imposed industry standards and expectations that come from external stakeholders including: • Investors, who will have standard due diligence questionnaires and reporting expectations • Auditors, who will have frameworks to be followed • External Partners
© Eze Castle Integration | 5 It is important to note that everyone in an organization has a role in information security. Your organization should create a highly trained and specialized group of people who are responsible for making sure the company follows the policy and procedures around the information security plan. This team can go by several names; CIRT (Computer Information Response Team) and CISRT (Computer Information Security Response Team) are two common names. This team is made up of members of your firm that have other functional roles within an organization. It is best practice to have members from different departments, for example, the Compliance, IT, Finance, Human Resources, and Communications. The CISRT is responsible for: While the CISRT has an important role to oversee the governance of the Information Security Plan, all employees within the organization are expected to be aware of and comply to relevant policies, procedures, and guidelines, report any suspicious activity, and attend annual trainings. Step 2: Specify Governance, Oversight & Responsibility Responding to computer incidents Managing and facilitating the communication for any breaches or updates in policy Notifying regulatory agencies, state agencies, etc. for any breaches Overseeing governance of Written Information Security Plan policies and procedures
© Eze Castle Integration | 6 Know what you have. Having an idea of what your firm has in terms of assets will give you a good baseline for creating your information response plan and can help you identify any potential vulnerabilities. This includes inventorying hardware and software as well as identifying existing safeguards and controls you have in place. A best practice is to maintain a running list of: workstations, servers, applications, and smartphone devices such as phones, tablets, and laptops. Often forgotten on this list are other devices that store information (phones, printers/copiers, etc.) as well as the growing collection of Internet of Things (IoT) systems including conference call equipment, wireless speaker systems, and the like. Anything connected to your firm’s network should be inventoried and cataloged. Why, you ask? Because you can’t properly assess your firm’s level of risk or adequately protect data and information unless you understand what systems you have and what data they hold. At the bare minimum, firms should conduct an annual review cycle of all IT assets to understand if there have been additions, deletions or changes in how that technology is managing data and what controls are in place to protect it. Step 3: Take Inventory of Assets PRO TIP Although this step may be a partially manual process, there are software applications and scanning tools that can make the process easier.
© Eze Castle Integration | 7 Identify what data is important and what needs to be protected. There are different types of data a firm may have access to: The first two types of data are legally required to be reported to the Security Exchange Commission if there is a breach. When writing an Information Security Plan’s policies and procedures, an organization should cover: • Where the information resides; • Who has access to the information; • How the data is stored, removed or transferred; and • How the data is protected. Step 4: Classify Data Personally Identifiable Information (PII) According to the U.S. General Services Administration – PII is information that can be used to identify an individual’s identity, either when the information is alone or combined with other identifying information that is linkable to an individual. Protected Health Information (PHI) The HIPPA Privacy Rule defines Protected Health Information as demographic information, medical history, test and laboratory results, insurance information and other data that healthcare organizations and professionals store and have access to. Non-Public Information (NPI) The Federal Trade Commission defines NPI as any personally identifiable financial information.
© Eze Castle Integration | 8 There are available security frameworks to help firms map out their approach to their Information Security Plan. The National Institute of Standards and Technology (NIST) provides a Cybersecurity Framework that can be a starting point for firms, however it is important to note that the needs of every business are different, and aspects of the NIST Framework may not be applicable to your organization. It is important to reiterate that employees are considered the first line of defense, and it is crucial to make them a security asset instead of a security risk. Forcing employees to have strong passwords, providing phishing and training for employees, and regular cybersecurity training helps create an internal culture of security. Firms should also evaluate what solutions and controls can be added by their IT vendor to enhance security. Additionally, discerning what is overkill and what is necessary can be challenging, so having a trusted partner or vendor can help you discern and prioritize regulations specific to your organization in addition to providing additional safeguards. Step 5: Evaluate Available Security Examples of NIST Framework IDENTIFY: • Cyber Risk Assessments • IT Audit • Network Inventory PROTECT: • Access Control • Next-Gen Firewalls • Endpoint Protection • Encryption • Patch Management • Mobility Management • Info Security Training • Phishing Tests DETECT: • Intrusion Detection & Prevention • Penetration Testing • Vulnerability Assessments • Continuous Security Monitoring RESPOND: • Incident Response Planning • Remediation Services RECOVER: • Backup & Recovery • Disaster Recovery • Security Policy Audit & Maintenance Identify Protect Detect Respond Recover
© Eze Castle Integration | 9 Performing a cybersecurity risk assessment is crucial to understanding the cybersecurity risk to the firm’s operations, functions, and assets. Typical steps associated with a vulnerability scan or assessment include: • Identifying all appropriate systems, networks and infrastructures; • Scanning networks to assess susceptibility to external hacks and threats; • Classifying vulnerabilities based on severity; and • Making tactical recommendations around how to eliminate or remediate threats at all levels. As part of the process you will want to identify and document the following components: • Asset Vulnerabilities • Internal vs. External threats • Potential Business Impacts & Likelihoods • Potential Control • Appropriate Risk Responses & Remediations Your risk assessment doesn’t have to be overly complex or robust. Start with the basic risk assessment considerations and then your risk assessment plan can evolve as your organization grows and matures. Step 6: Perform a Cyber Risk Assessment
© Eze Castle Integration | 10 Performing a third-party risk assessment on an annual basis is an essential part of your Information Security Plan. As more firms outsource business functions, it is imperative to set expectations with your partners, vendors, and providers so that everyone is on the same page. Eze Castle Integration suggests having a process and checklist in place to make sure your firm is establishing acceptable third-party management guidelines. Ask the following questions: If your vendors undergo an audit, you can ask for that information. For example, Eze Castle Integration undergoes an annual SOC2 audit of our cloud services. Lastly, review critical vendors on an annual basis to see if any practices have changed. If practices don’t live up to your firm’s data privacy standards, it may be time to find another vendor. Step 7: Perform a Third Party Risk Assessment How are third parties storing data? How long are they storing data for? What employees can access it? Are they testing and training their employees? How often do they perform security and penetration testing?
© Eze Castle Integration | 11 Creating a realistic Incident Response Plan that is relevant and attainable for your organization is crucial, because it is not a matter of if – but when – a cybersecurity incident will happen. All Incident Response Plans are different and relative to the organization’s specific business. The key factor in your Incident Response Plan is that it is realistic to your firm, as well as the vendors and partners that have a stake in your response. Engage with other partners internally from all departments, such as: • IT • Operations • Human Resources as well as external partners, such as: • Service providers • Third-party vendors • Clients • Regulators Step 8: Create an Incident Response Plan PRO TIP It’s not if, but when, a cybersecurity incident will happen. Communication is critical during incident response, and we don’t just mean to employees. There are a number of third parties who will also likely need to be notified and kept abreast of the firm’s situation, depending on its severity and potential impact. Select at least one member of the CSIRT to handle communication on behalf of the firm – to notable and affected investors, third party service providers, and regulators.
© Eze Castle Integration | 12 To reiterate, making your employees a security asset instead of a threat is an extremely important part of your Information Security Plan. Follow the following steps to ensure your employees are an asset instead of a threat: • Educate employees by having training throughout the year • Review individual roles and responsibilities within the organization at least once a year • Evaluate incident management procedures yearly and communicate any changes to employees • Have a formal training or educational curriculum as well as activities • Deploy annual or bi-annual phishing simulations and training Step 9: Training and Testing Employees PRO TIP Conduct annual tabletop and simulation exercises to ensure employees are effectively trained. These can be in-person or virtual seminars but should bring together department representatives across the firm to enable swift business recovery in the event of a business- impact scenario.
© Eze Castle Integration | 13 About Eze Castle Integration Eze Castle Integration is a leading provider of managed IT, cloud and cybersecurity solutions to more than 650 firms worldwide. We are uniquely positioned to support today’s firms with our broad portfolio of managed services, including: Outsourced Technology Services IT Support | Staff Augmentation | Global 24x7x365 Help Desk Cybersecurity Solutions & Training Vulnerability Assessments| WISP Development | Active Threat Protection | Managed Phishing/Training Hybrid & Private Cloud Solutions Application Hosting| Infrastructure as a Service| Managed DR | Hosted Voice Business Resiliency & Contingency Planning Disaster Recovery | Business Continuity Planning | Backup & Recovery | Email & IM Archiving Boston | Chicago | Dallas | Hong Kong | London | Los Angeles | Minneapolis | New York | San Francisco | Singapore | Stamford www.eci.com/cybersecurity

Recommended

New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 

Recommended

New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestHank Eng, CISSP, CISA, CISM
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology ExpoTony DeGonia (LION)
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 
Item46763
Item46763Item46763
Item46763madunix
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

More Related Content

Similar to Create a Comprehensive InfoSec Plan in 9 Steps

It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 
Item46763
Item46763Item46763
Item46763madunix
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 

Similar to Create a Comprehensive InfoSec Plan in 9 Steps (20)

It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
CCA study group
CCA study groupCCA study group
CCA study group
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance
 
Item46763
Item46763Item46763
Item46763
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Information Security
Information SecurityInformation Security
Information Security
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Create a Comprehensive InfoSec Plan in 9 Steps

  • 1. © Eze Castle Integration | 1 9 Steps to Create an Information Security Plan
  • 2. © Eze Castle Integration | 2 Table of Contents 1. Regulatory Review and Landscape 2. Governance, Oversight, Responsibility 3. Take Asset Inventory ……….. 4. Data Classification and Protection 5. Evaluating Available Security Safeguards 6. Perform a Cyber Risk Assessment 7. Perform a 3rd Party Risk Assessment 8. Create an Incident Response Plan 9. Training and Testing Employees Step Step Step Step Step Step Step Step Step ………………………………………………………………………3 ………………………………………………….…………..4 ……..………………………………………………………………….……….5 ………………………………………………………………………6 . ………………………………….……………………….7 ….……………………………………………………………………8 .………………………………………….………………………9 …….……………………………………………………………….10 …………………………………………………………………………11
  • 3. © Eze Castle Integration | 3 In today's changing regulatory and investor landscape, Information Security Plans are critical for firms to comply with Securities and Exchange Commission (SEC) regulations, due diligence requests and state laws in addition to increasingly more common and more sophisticated cybersecurity threats. To preface, it is important to know what an Information Security Plan is and why your firm needs one. An information security plan is documentation of a firm’s plan and systems put in place to protect personal information and sensitive company data. This data can include anything from investor information and data to employees’ personal information. Having an information security plan can mitigate threats and risks against your organization and its data, help your firm protect the integrity, confidentiality, and availability of the data, and provides processes so your firm will know what to do if a data breach or incident were to happen. Aside from protecting the integrity of your data and keeping it confidential, there are other legal reasons to have an Information Security Plan in place. As previously mentioned, any firm that is registered with the SEC is required to have one in place. There may be other state or industry specific regulations your firm must adhere to as well. This is why the first step in creating an Information Security Plan is performing a Regulatory Review and Landscape. Overview
  • 4. © Eze Castle Integration | 4 Step 1: Perform a Regulatory Review and Landscape The first step to creating an Information Security Plan is to perform a Regulatory Review as all businesses have requirements coming from oversight bodies including: • International Bodies, such as the EU General Data Protection Regulation (GDPR) • Federal Agencies, such as the Securities Exchange Commission (SEC) and Financial Services Authority (FSA) • State Agencies, such as MA’s PII Regulation (201 CMR 17.00) • Industry Oversight, such as FINRA and National Futures Association (NFA) There are also self-imposed industry standards and expectations that come from external stakeholders including: • Investors, who will have standard due diligence questionnaires and reporting expectations • Auditors, who will have frameworks to be followed • External Partners
  • 5. © Eze Castle Integration | 5 It is important to note that everyone in an organization has a role in information security. Your organization should create a highly trained and specialized group of people who are responsible for making sure the company follows the policy and procedures around the information security plan. This team can go by several names; CIRT (Computer Information Response Team) and CISRT (Computer Information Security Response Team) are two common names. This team is made up of members of your firm that have other functional roles within an organization. It is best practice to have members from different departments, for example, the Compliance, IT, Finance, Human Resources, and Communications. The CISRT is responsible for: While the CISRT has an important role to oversee the governance of the Information Security Plan, all employees within the organization are expected to be aware of and comply to relevant policies, procedures, and guidelines, report any suspicious activity, and attend annual trainings. Step 2: Specify Governance, Oversight & Responsibility Responding to computer incidents Managing and facilitating the communication for any breaches or updates in policy Notifying regulatory agencies, state agencies, etc. for any breaches Overseeing governance of Written Information Security Plan policies and procedures
  • 6. © Eze Castle Integration | 6 Know what you have. Having an idea of what your firm has in terms of assets will give you a good baseline for creating your information response plan and can help you identify any potential vulnerabilities. This includes inventorying hardware and software as well as identifying existing safeguards and controls you have in place. A best practice is to maintain a running list of: workstations, servers, applications, and smartphone devices such as phones, tablets, and laptops. Often forgotten on this list are other devices that store information (phones, printers/copiers, etc.) as well as the growing collection of Internet of Things (IoT) systems including conference call equipment, wireless speaker systems, and the like. Anything connected to your firm’s network should be inventoried and cataloged. Why, you ask? Because you can’t properly assess your firm’s level of risk or adequately protect data and information unless you understand what systems you have and what data they hold. At the bare minimum, firms should conduct an annual review cycle of all IT assets to understand if there have been additions, deletions or changes in how that technology is managing data and what controls are in place to protect it. Step 3: Take Inventory of Assets PRO TIP Although this step may be a partially manual process, there are software applications and scanning tools that can make the process easier.
  • 7. © Eze Castle Integration | 7 Identify what data is important and what needs to be protected. There are different types of data a firm may have access to: The first two types of data are legally required to be reported to the Security Exchange Commission if there is a breach. When writing an Information Security Plan’s policies and procedures, an organization should cover: • Where the information resides; • Who has access to the information; • How the data is stored, removed or transferred; and • How the data is protected. Step 4: Classify Data Personally Identifiable Information (PII) According to the U.S. General Services Administration – PII is information that can be used to identify an individual’s identity, either when the information is alone or combined with other identifying information that is linkable to an individual. Protected Health Information (PHI) The HIPPA Privacy Rule defines Protected Health Information as demographic information, medical history, test and laboratory results, insurance information and other data that healthcare organizations and professionals store and have access to. Non-Public Information (NPI) The Federal Trade Commission defines NPI as any personally identifiable financial information.
  • 8. © Eze Castle Integration | 8 There are available security frameworks to help firms map out their approach to their Information Security Plan. The National Institute of Standards and Technology (NIST) provides a Cybersecurity Framework that can be a starting point for firms, however it is important to note that the needs of every business are different, and aspects of the NIST Framework may not be applicable to your organization. It is important to reiterate that employees are considered the first line of defense, and it is crucial to make them a security asset instead of a security risk. Forcing employees to have strong passwords, providing phishing and training for employees, and regular cybersecurity training helps create an internal culture of security. Firms should also evaluate what solutions and controls can be added by their IT vendor to enhance security. Additionally, discerning what is overkill and what is necessary can be challenging, so having a trusted partner or vendor can help you discern and prioritize regulations specific to your organization in addition to providing additional safeguards. Step 5: Evaluate Available Security Examples of NIST Framework IDENTIFY: • Cyber Risk Assessments • IT Audit • Network Inventory PROTECT: • Access Control • Next-Gen Firewalls • Endpoint Protection • Encryption • Patch Management • Mobility Management • Info Security Training • Phishing Tests DETECT: • Intrusion Detection & Prevention • Penetration Testing • Vulnerability Assessments • Continuous Security Monitoring RESPOND: • Incident Response Planning • Remediation Services RECOVER: • Backup & Recovery • Disaster Recovery • Security Policy Audit & Maintenance Identify Protect Detect Respond Recover
  • 9. © Eze Castle Integration | 9 Performing a cybersecurity risk assessment is crucial to understanding the cybersecurity risk to the firm’s operations, functions, and assets. Typical steps associated with a vulnerability scan or assessment include: • Identifying all appropriate systems, networks and infrastructures; • Scanning networks to assess susceptibility to external hacks and threats; • Classifying vulnerabilities based on severity; and • Making tactical recommendations around how to eliminate or remediate threats at all levels. As part of the process you will want to identify and document the following components: • Asset Vulnerabilities • Internal vs. External threats • Potential Business Impacts & Likelihoods • Potential Control • Appropriate Risk Responses & Remediations Your risk assessment doesn’t have to be overly complex or robust. Start with the basic risk assessment considerations and then your risk assessment plan can evolve as your organization grows and matures. Step 6: Perform a Cyber Risk Assessment
  • 10. © Eze Castle Integration | 10 Performing a third-party risk assessment on an annual basis is an essential part of your Information Security Plan. As more firms outsource business functions, it is imperative to set expectations with your partners, vendors, and providers so that everyone is on the same page. Eze Castle Integration suggests having a process and checklist in place to make sure your firm is establishing acceptable third-party management guidelines. Ask the following questions: If your vendors undergo an audit, you can ask for that information. For example, Eze Castle Integration undergoes an annual SOC2 audit of our cloud services. Lastly, review critical vendors on an annual basis to see if any practices have changed. If practices don’t live up to your firm’s data privacy standards, it may be time to find another vendor. Step 7: Perform a Third Party Risk Assessment How are third parties storing data? How long are they storing data for? What employees can access it? Are they testing and training their employees? How often do they perform security and penetration testing?
  • 11. © Eze Castle Integration | 11 Creating a realistic Incident Response Plan that is relevant and attainable for your organization is crucial, because it is not a matter of if – but when – a cybersecurity incident will happen. All Incident Response Plans are different and relative to the organization’s specific business. The key factor in your Incident Response Plan is that it is realistic to your firm, as well as the vendors and partners that have a stake in your response. Engage with other partners internally from all departments, such as: • IT • Operations • Human Resources as well as external partners, such as: • Service providers • Third-party vendors • Clients • Regulators Step 8: Create an Incident Response Plan PRO TIP It’s not if, but when, a cybersecurity incident will happen. Communication is critical during incident response, and we don’t just mean to employees. There are a number of third parties who will also likely need to be notified and kept abreast of the firm’s situation, depending on its severity and potential impact. Select at least one member of the CSIRT to handle communication on behalf of the firm – to notable and affected investors, third party service providers, and regulators.
  • 12. © Eze Castle Integration | 12 To reiterate, making your employees a security asset instead of a threat is an extremely important part of your Information Security Plan. Follow the following steps to ensure your employees are an asset instead of a threat: • Educate employees by having training throughout the year • Review individual roles and responsibilities within the organization at least once a year • Evaluate incident management procedures yearly and communicate any changes to employees • Have a formal training or educational curriculum as well as activities • Deploy annual or bi-annual phishing simulations and training Step 9: Training and Testing Employees PRO TIP Conduct annual tabletop and simulation exercises to ensure employees are effectively trained. These can be in-person or virtual seminars but should bring together department representatives across the firm to enable swift business recovery in the event of a business- impact scenario.
  • 13. © Eze Castle Integration | 13 About Eze Castle Integration Eze Castle Integration is a leading provider of managed IT, cloud and cybersecurity solutions to more than 650 firms worldwide. We are uniquely positioned to support today’s firms with our broad portfolio of managed services, including: Outsourced Technology Services IT Support | Staff Augmentation | Global 24x7x365 Help Desk Cybersecurity Solutions & Training Vulnerability Assessments| WISP Development | Active Threat Protection | Managed Phishing/Training Hybrid & Private Cloud Solutions Application Hosting| Infrastructure as a Service| Managed DR | Hosted Voice Business Resiliency & Contingency Planning Disaster Recovery | Business Continuity Planning | Backup & Recovery | Email & IM Archiving Boston | Chicago | Dallas | Hong Kong | London | Los Angeles | Minneapolis | New York | San Francisco | Singapore | Stamford www.eci.com/cybersecurity