Posted by Buck Kulkarni on 12 Feb 2018
Digital transformation is sweeping across all facets of our lives. From complex business and financial transactions, through to hailing rides and streaming media, seemingly nothing has been left untouched. Businesses from street-side vegetable vendors to the largest global banks are performing a wide variety of financial transactions on the web or mobile web that were impossible barely a decade ago.
With this digital transformation comes users or account holders, and with them comes their data. Companies like Amazon or Netflix can store hundreds of millions of financial and personal information records in their systems. A single security breach of this massive amount of data could impact their business, reputation, and stock value in ways that can be difficult to overcome. Add to that the time and expense of recovering the data, for those who can recover it, and it’s no secret why information security is a critical component of every business.
Information security is now a large body of knowledge and there are hundreds of disciplines within its gamut. Many large companies that suffer security breaches are very knowledgeable about security, have invested huge sums of money over many years to build their security systems, and carry impressive certifications and credentials. So, what goes wrong?
At Alacriti, we grapple with this question all the time. As a payment processing technology provider, our clients, auditors, and regulators expect us to maintain a very high standard of data security. Over the past decade, we built security systems and processes designed to live up to these expectations. In our experience, we’ve learned that there are two pillars of a strong information security program:
Pillar #1: Security Policies
The first pillar is to have a comprehensive, clear, actionable, and measurable set of security policies that cover all aspects of the organization’s operations. Without these, security efforts can grow sporadically in the organization.
Pillar #2: Risk Management Lifecycle
The second pillar is a comprehensive risk management lifecycle that allows us to view the entire spectrum of activities needed to maintain our security posture. Without this, security efforts tend to focus on solving today’s problems rather than anticipating the needs of tomorrow.
I’ve written this blog to provide some insight into Alacriti’s security policy suite. We have developed different policies that help our employees understand the organization’s security principles, practices, and their responsibilities. At the root of all policies is our Information Security Policy which describes the basic rules of engagement, organizational directives, and consequences of non-compliance.
Each of the major subject areas in the Information Security Policy are further developed into separate policy documents that provide specific guidance in individual operational areas. Our current policy suite includes:
Some important control points built into our policy management process are:
The combination of these efforts has created a reasonable assurance that we are comprehensively covering our bases. There is also an organization-wide understanding that meeting these goals and obligations has allowed us to adopt new technologies without losing control over our security and privacy commitments.
A case in point is our recent migration to the cloud for some of our large application products. Our policy suite became the binding glue for all our technology and business leaders to pursue a common agenda of non-negotiable principles, processes, and best practices to achieve our cloud migration efficiently and cost effectively. While many organizations struggle with the security challenges of the cloud, we can say confidently that cloud migration allowed us to take our security posture to the next level.
The Bottom Line: A strong set of security policies is a pillar of sustainable information security. At Alacriti, there is a comprehensive, ongoing effort to keep these policies aligned with emerging technical and business scenarios. In addition, a comprehensive risk management framework helps us keep our policies balanced and measurable.