The Information Security Program
The basics of an information security program are straight forward concepts. John Fay, in his 1993 publication Encyclopedia of Security Management: Techniques and Technology (Maine, Butterworth-Heinemann, 1993) laid out the four levels of security as follows: physical, procedural, logical, and transformational.
While all organizations are familiar with physical security, only a small subset applies physical security controls to its IT devices. This tends to be an easy fix simply by locking up or otherwise controlling access to servers and other devices.
The procedural component is critical and is chronically the least addressed. However; it is through policies, procedures, and training that the user behavior changes becoming capable of dealing with the cyber threat. As stronger standards are applied, it is the procedural component that grows the fastest as more and more procedural requirements and controls are added to the information security plan.
The addition of security hardware and software is what most people think of as cybersecurity when it is only part – albeit an important part - of the overall program. The core capability of the logical components addresses the core capabilities of security which include access control, physical protection, intrusion detection, endpoint protection, network (with cloud and virtualization) protections, encryption and application security. As the demands of standards increase, the logical component reaches a fairly mature level early and then grows at a much slower rate than the procedural component.
Finally, encryption technology is used as an additional layer of protection for data in transit and at rest.
Imprimis Cybersecurity and Compliance Essentials (IC2E™)
Imprimis has developed a set of requirements that go to the heart of cybersecurity and compliance. This set of 17 requirements address both the implementation of the security core competencies and the activities required for compliance as well. These are referred to as the Imprimis Cybersecurity & Compliance Essentials or IC2E™ and includes 17 controls as shown in the graphic below.
The first 11 items of IC2E™ address the logical core competencies and the last 6 items address the procedural requirements. In this example, the NIST 800-171 standard is addressed. In other applications, the procedural controls will be tailored to the specific needs of the organization.
Imprimis mapped the essentials to the requirements of NIST 800-171 to provide a quick look at the readiness of an organization to comply with the standard while fulfilling the security required by the organization. This graphic shows how both compliance and security increase as security elements are added to the security program within an organization. It also makes clear the vulnerabilities that remain with a partial security program.
The IC2E™ Readiness report shows the relationship between project tasks and compliance and security. This is important to organizational leadership and management where few are familiar with information security jargon. So, the Readiness report can change “blah, blah, blah …” into clear, understandable project tasks. It also provides a tool for planning the information security program where the beneficial impact of discrete investments can be seen.
Other beneficial features of the IC2E™ Readiness report are that it is quick and easy to complete and is free. Contact Imprimis for your Readiness report at 719-785-0320 or at https://www.imprimis-inc.com/contact-us.