3 Types of Information Security Requirements – Business, Regulatory & Customer
Do you know whether your organization's security requirements will match cybersecurity threats that are multiplying in frequency, complexity, and severity? Modern-day security requirements include malware detection and protection, system availability loss, data compromise, and much more. Attacks and threats have grown substantially more sophisticated - on average, attackers reside within a network eight months before they are even detected. In this advanced security threat environment, knowing what your organization's security requirements are is critical. You need to know where to start to adequately protect your data and network.
Information Security Requirements - 3 Types of Obligations to Consider
Understanding your security requirements is the all-important first step to developing a robust information security strategy.
It's important not to let your compliance needs alone dictate your organization’s information security requirements. Your business and customer needs are often greater. When you think about your information security requirements, there are 3 types of security obligations to consider:
- Business Obligations: Security commitments to the business. For example, security has a responsibility to ensure that information in the business is kept secure and is available when needed.
- Regulatory Obligations: Legal, compliance, or contractual obligations that security must fulfil. For example, organizations in the healthcare industry must be HIPAA compliant.
- Customer Obligations: Security commitments that the customer expects the organization to keep. For example, the customer of a manufacturer may require all their blueprint files to be encrypted.
11 Most Common Business Obligations for Your Security Requirements
Organizations today understand the need for security and their requirements have thus matured. Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and its bottom line.
1. Business Continuity
The largest obligation on IT security is the ability to provide continuity for business services. IT in general serves two main functions of servicing the business as a traditional IT department, but also enabling the organization through innovate technology adoption. From these main functions, the business is primarily concerned with being able to complete their required work as needed.
Business continuity is also referred to as disaster recovery. Disaster recovery/business continuity is a security planning to ensure the business can continue even after it is hit by a significant disaster (whether it is a natural disaster or a human-caused disaster). To learn more about disaster recovery, watch a short video below. If you'd like to learn about it in detail, click here to watch a full 1-hour on-demand webinar.
2. End-User Security
Due to recent external forces, some specific security requirements around end users have been generated as obligations. This includes end-user security awareness and training to limit end users’ exploitability and the ability to remediate any disruptions to end users.
3. Risk Management
Information security risks (threats and vulnerabilities) must be identified, defined, quantified, and managed. This includes the prioritization and rating of the risks to systems and data.
4. Security Awareness
The security program must raise the overall information security awareness of the organization in order to ensure privacy and security issues are mitigated and given adequate respect and consideration.
5. Integration and Interoperability
The security program requires well-defined and mature processes and controls that support information security, privacy, and compliance management obligations.
6. Data Protection
The primary expectation is that sensitive or critical information is secured from unauthorized access and disclosure. This expectation drives more detailed expectations such as proper access control, encryption, and threat management.
7. End-User Ease of Use
Security controls must be easy for end users, being sure not to impede their ability to complete their duties.
The security strategy must support innovative processes and enable the freedom to use new technologies.
9. Confidence and Assurance
Security controls should support a high level of confidence and assurance to the organization that data is being protected by following industry standard best practices.
10. Governance Transparency
There should be transparency related to security risks and capabilities, including communication of breach and security incident activity, to senior management.
11. Project Management
Security analysis and design must be integrated into project management processes, ensuring a risk-based approach is followed while not unduly limiting the ability to initiate or finish projects.
Related Blog Posts
Information Security Best Practices: How to Protect SMBs from Hackers
Phishing Scams: Our Own Experience, and Tips to Avoid Them
8 Most Common Regulatory Obligations for Your Security Requirements
Most conventional regulatory obligations are legislation or compliance obligations, such as:
1. Sarbanes Oxley Act (SOX)
Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud
2. Payment Card Industry Data Security Standard (PCI-DSS)
Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected
3. Health Insurance Portability and Accountability Act (HIPAA)
Applies to the healthcare sector and protects the privacy of individually identifiable health information
4. Health Information Technology for Economic and Clinical Health (HITECH)
Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA
5. Gramm-Leach-Bliley Act (GLBA)
Applies to the financial sector, including banks and lenders, to ensure protection of customer and financial information (safeguard security and confidentiality of customer information)
6. Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business
7. Third Basel Accord (Basel III)
Applies to financial institutions around the world and addresses firm-wide governance and risk management
8. Federal Information Processing Standards (FIPS)
Applies to the financial industry and non-military government agencies, and enforces standards around encryption algorithms and document processing
3 Customer Obligations for Your Security Requirements
Today, most customers or clients expect some level of security to protect their data. For many organizations, customer data privacy is arguably the largest driving factor for developing a mature IT security program. Failure to meet customer requirements can result in high publicity incidents that can tarnish your organization’s reputation.
1. Clear Communication with Business Customers
Whether a B2B or a partner relationship, organizations you do business with expect their data and their systems protected. How are customer security requirements communicated?
- It is common practice for security requirements to be developed in statements of work (SOW) or master service agreements (MSA).
- Often these requirements from clients are communicated to the business units trying to acquire new business or maintain current clients.
- The main method for communication is through an audit process. Questionnaire style surveys are used to identify what requirements are able to be met. Organizations will normally respond by stating what requirements they can currently meet, and what can be done to meet some other requirements.
2. Know Your Business Customers' Security Requirements
- Organizations frequently have “best practice” or industry standard requirements placed on them. This often comes in the form of an audit-style questionnaire to be completed that very closely mimics an industry standard best practice such as ISO 27001.
Consumer customers are people actually consuming your products or services, e.g. someone who buys your laptop or uses your financial services. They expect privacy.
- It is normal for consumers to expect personal information to be protected.
- 80% of consumers say they are more likely to buy from consumer product companies they believe protect their personal information.
- 60% of consumers state that a single data breach would negatively impact their likelihood of buying from that company.
Let us help you with your organization’s security requirements
Having a security plan will make your business more agile. Remember: now it’s not a matter of if you have a security incident, but when. Our team of experts have worked with many organizations to help them implement an information security strategy. The recommended first step is to contact us for a complimentary cloud security assessment so you know where to start and how to improve your organization’s security.