The Pillars of Information Security

Digital transformation is sweeping across all facets of our lives. From complex business and financial transactions, through to hailing rides and streaming media, seemingly nothing has been left untouched. Businesses from street-side vegetable vendors to the largest global banks are performing a wide variety of financial transactions on the web or mobile web that were impossible barely a decade ago.

With this digital transformation comes users or account holders, and with them comes their data. Companies like Amazon or Netflix can store hundreds of millions of financial and personal information records in their systems. A single security breach of this massive amount of data could impact their business, reputation, and stock value in ways that can be difficult to overcome. Add to that the time and expense of recovering the data, for those who can recover it, and it’s no secret why information security is a critical component of every business.

Information security is now a large body of knowledge and there are hundreds of disciplines within its gamut. Many large companies that suffer security breaches are very knowledgeable about security, have invested huge sums of money over many years to build their security systems, and carry impressive certifications and credentials. So, what goes wrong?

At Alacriti, we grapple with this question all the time. As a payment processing technology provider, our clients, auditors, and regulators expect us to maintain a very high standard of data security. Over the past decade, we built security systems and processes designed to live up to these expectations. In our experience, we’ve learned that there are two pillars of a strong information security program:

Pillar #1: Security Policies

The first pillar is to have a comprehensive, clear, actionable, and measurable set of security policies that cover all aspects of the organization’s operations. Without these, security efforts can grow sporadically in the organization.

Pillar #2: Risk Management Lifecycle

The second pillar is a comprehensive risk management lifecycle that allows us to view the entire spectrum of activities needed to maintain our security posture. Without this, security efforts tend to focus on solving today’s problems rather than anticipating the needs of tomorrow.

I’ve written this blog to provide some insight into Alacriti’s security policy suite. We have developed different policies that help our employees understand the organization’s security principles, practices, and their responsibilities. At the root of all policies is our Information Security Policy which describes the basic rules of engagement, organizational directives, and consequences of non-compliance.

Each of the major subject areas in the Information Security Policy are further developed into separate policy documents that provide specific guidance in individual operational areas. Our current policy suite includes:

• Anti-bribery
• Segregation of duties
• Secure SDLC
• Patch management
• Pandemic events
• Incident management
• Ethics and whistle-blower protection
• Business process assurance
• Business continuity and disaster recovery
• Employee background checks and drug screening
• Vendor risk management
• Data privacy
• Human resources
• Access control

Some important control points built into our policy management process are:

• Adopting an industry framework (we adopted the US Government’s NIST SP 800) that allows a balanced view of enterprise security. This helps reduce the risk of becoming topical or sporadic.
• Mandatory annual review and updates of all policies to reflect changes in both the company and the technical/regulatory environment in which we operate.

• Mandatory annual training of all employees that explains our policies, expected behavior, and consequences of non-compliance. Each training is followed by a written test to ensure that employees have assimilated the learning.

• A strong suite of procedural and process documents for each business unit or group that facilitates policy compliance in their day-to-day work. This includes collaboration tools, ticketing systems, logs, and evidence chains.

• On-going internal audits to perform risk-based assessments of all functions in the context of behaviors and controls mandated by policies.

• Review of the policy suite by an external auditor in the context of our business, technology, and regulatory obligations to validate that our policies are adequate for the purpose.

The combination of these efforts has created a reasonable assurance that we are comprehensively covering our bases. There is also an organization-wide understanding that meeting these goals and obligations has allowed us to adopt new technologies without losing control over our security and privacy commitments.

A case in point is our recent migration to the cloud for some of our large application products. Our policy suite became the binding glue for all our technology and business leaders to pursue a common agenda of non-negotiable principles, processes, and best practices to achieve our cloud migration efficiently and cost effectively. While many organizations struggle with the security challenges of the cloud, we can say confidently that cloud migration allowed us to take our security posture to the next level.

The Bottom Line: A strong set of security policies is a pillar of sustainable information security. At Alacriti, there is a comprehensive, ongoing effort to keep these policies aligned with emerging technical and business scenarios. In addition, a comprehensive risk management framework helps us keep our policies balanced and measurable.