Information Security Program – 10 Simple Steps

Small to mid-tier businesses may architect a simple cybersecurity program to include a firewall, DMZ (for public facing devices and applications), monitoring of the perimeter, and antivirus (for servers, workstations and mobile).  Effective governance and architecture for just-enough security protects computing activities to realize company objectives.  It answers, how would an information security program provide as safe a computing environment as we can afford, with resources to maintain it?  A spiral 10-step process [that repeats itself] is recommended:

malware icon1 Perimeter Defense. Servers, firewalls, defense tools, web gateways, proxies.  An IPS will monitor endpoints, blocking activity that is unlike normal network activity or matches an onboard blacklist of malicious activity.  The IPS will notify your IT administrator of malicious network traffic.

SOC2. Monitoring.  Perimeter, business critical infrastructure (BCI), and endpoints. Managed monitoring leverages limited in-house IT resources to focus on alerts and incidents of interest.  All monitored devices should be aligned with Identity Access Management (such as Microsoft’s Active Directory Lightweight Directory Service) to alert the IT administrator to respond timely.


3. Endpoint Defense. Servers, workstations, mobile.  This onboard agent scans for threats continuously and at planned, scheduled intervals.  It’s designed to quarantine, block, and/or delete malicious activity on endpoints.  Agents using user behavior analysis (UBA), or heuristics (high, medium, low sensitivity) are affordable cutting-edge technologies that offer reliable defense in lieu of (or to augment) traditional signature-based agents.


Risk Management4. Risk Log. Establish a risk log of devices, scoring risks per device assessed.  Prioritize devices monitored to the risk log to determine which alerts and incidents to prioritize for handling, assigning a timeline of response and remediation to internal resources and trade benchmarks (e.g. ISO 27000 series).


5. Master List. Maintain a master list of devices monitored, documented with onboard date, machine name, IP address, location stored, and device owner with contact information.


Policies to onboard and update should be aligned to internal change management procedures and to external onboarding and update procedures by the monitoring vendor.

install-tech6. IRP.  Have established procedures of alert review and incident response mapped to response resources and trade benchmarks (i.e. ISO 27000 series).  Matrix response team should be activated via email groups, escalations via a call tree.  IRP should be written, operationalized, and ready for use as needed.

7. Vulnerability Scanning Program (VSP).  Goal is to identify vulnerabilities in software, and regulatory and trade compliance, to remediate per BCI and risk log score, as quickly as internal resources will allow.  A scanning program identifies threats and suggests how to remediate.

Establish scanning program per set schedule. IT Director should sign-off on scanning schedule.  IT department is responsible to manage their section of scanning program (giving them autonomy and skin in-the-game).  All business and device owners are responsible to manage their scans and remediate findings.  All remediation is tracked through the scanner’s ticketing system.  Global admin of the scanner tracks scans and ticket history for completed scans, open vulnerabilities, and tickets (new, in progress, and closed).  The IS department and CISO review scan reports at scheduled intervals to assess the threat surface of the WAN to close holes, that includes progress of autonomous groups managing their scan and repair activity.

Eye on Security8. Threat Intelligence (TI).  Is used in-conjunction with monitoring and scanning programs to match threats in wild to threats found within WAN.  A dynamic TI list should be integrated with the monitoring tool and scanner to maintain a current threat list for scans.  Ensure known patches are installed to mitigate or eliminate threats.  Use TI to identify out-of-band threats needing attention to patch, provide countermeasures, or install a matrix of controls to mitigate risk.

9. Pentesting.  Use a basic pentesting tool to confirm threats exist (exploits them) or have been eliminated through patching, countermeasures, or controls.  Pentesting is integrated with VSP.

10. Repeat cycle continuously to maintain a small threat surface.  Use PDCA via metrics to measure success of the program, identify gaps to close, to shore up performance of 6-step information security program.

Thank you for giving this topic your time, attention and consideration; I trust there are takeaways for you to use.  If you’re interested in implementing an Information Security program for your business, please click Request a Consultation at the base of this page, fill out “ISP – SMB” in the subject line, include the email signature of your COO or IT Director/Admin in the message body; I reply within 24hours to arrange an exploratory conference call. ###

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s