Information security is a risk management problem. Risk management is considering the possibility of something happening, how badly it would hurt, how likely it is, and what you can do about it to help prevent it. Risk management is considering risks and planning how to treat or mitigate them.

Small businesses sometimes (28% by some studies) do nothing about information security because the risks feel abstract, they believe they are too small to be a target of an attack, they can’t or don’t allocate budget, or they don’t have the expertise.

However:

• Cyber threats are often automated and indiscriminate
• Downtime, data loss, and loss of trust are costly – sometimes very costly
• Many customers, insurers, and partners are beginning to expect and appreciate basic information security

A little structure goes a long way. Thinking about your business information, the impact of interruptions, and how to recover quickly gives you control and helps you focus on running your business.

If you do not have an information security program, one way to start is just thinking about and writing down your important information assets and the devices used to access them. Then consider the threats to these assets, the impact of losing them, and the steps to respond and recover if they are compromised.

If you do have an information security program, consider making it more effective by organizing it and applying good practice to understand its strengths and weaknesses, identify gaps, and prioritizing risk-based, cost-effective improvements that support your business objectives.

---

You will need a Program Description. As an information security program (program) matures, the Program Description may become a document set, but having one large document is also a fine implementation. A template for the Program Description can be used.

Governance, documentation, and an information security policy are important parts. It shouldn’t be complex, but it does need to be written down.

Using the Information Security Model Canvas can visualize and help organize the development or improvement of a Program Description. Many of the elements of the ISMC are described in the Program Description template.

As you update the Program Description, mark sections you don’t use as Not Applicable (for now) rather than deleting the section. Better to explicitly let readers know the section currently has nothing defined.

No Program
If you have no formal information security program or nothing is documented, follow the guidance from a context where the content you will add to the Program Document does not already exist. You are creating it rather than plugging it into the Program Description Document.

Have Started a Program
If you have a program and want to utilize the information security program foundations that this site supports, your existing program documentation can be updated.

Secure Storage
You will need to treat the program documentation carefully. As part of the program, you will start to classify documents and information. This helps to control costs. By identifying the classification of data, resources to protect will be commensurate with the data’s value.

If you do not already have a secured digital asset (document) repository, consider getting one. For now, the Program Description will evolve into something that you will not want adversaries to have.

Every business handles sensitive data: customer records, emails, payments, calendars. An information security policy helps protect your business by setting clear expectations for how you and your team handle information, devices, and risks.

Policy is a tool, not just paperwork, that gives you:

• Clarity – Know what to protect and who is responsible
• Consistency – Everyone works from the same set of easily known guardrails
• Credibility – Shows customers, insurers, regulators, and partners that you take protection seriously
• A starting point – From here, you can build policies over time as your needs grow

An information security policy should be a separate document. Use your own policy document format or the policy template.

At this time, make a choice about your priorities. Many things in cyber security and risk management start with a risk assessment. There is sound logic in that approach.

A risk assessment is a set of steps used to identify, evaluate, and prioritize potential threats or vulnerabilities, helping guide decisions about controls, investments, and risk treatment. Many elements of a program, including the program itself, start with or utilize a risk assessment. A risk assessment process is outlined here.

However, there are some controls that you know will be part of the program. These are sometimes labeled low hanging fruit. It may be appropriate to just get these controls implemented to reduce the associated risks. These include items such as making sure malware controls on all endpoint devices is in place and running well or implementing backups or multifactor authentication.

You can also do both in parallel. Start the Program Description Document and without waiting for a risk assessment and the document to be completed and approved, start implementing the low hanging fruit controls.

Risk assessments can be completed later: as part of the program review, if the understanding of a risk changes, or for new risks that are identified.

Pragmentum’s free self-assessment can also help you jump start your program. See Pragmentum Services for details on our cyber security services and the free stuff on this site.

Save the Program Description Document and communicate to your team that they should be aware of the program. You now have a program! The risk assessment provides the prioritized risks to be addressed.

Now you need to keep the program current or conduct efforts to close any gaps:

• Set up a process for continuous improvement of the program and the controls
• If a risk assessment has not been completed, conduct one
• Set up a project to prioritize and implement the mitigations from the risk assessment or improve the controls that are in place
• Set a frequency to review the program, at least annually
• React as you become aware of new risks or changes to existing risks