FAQs
Have questions about this information security stuff? Feeling confused? We can help!
Check out our Frequently Asked Questions below and feel confident about protecting your organization’s data, networks, critical systems and reputation.
Looking for pricing? Click the button below to contact us for a custom, no-obligation information security quote.
Frequently Asked Questions
What is ISO 27001?
ISO 27001 is a widely utilized international standard for managing IT security, developed by the International Organization for Standardization. It was formed to help organizations, of any size or any industry, protect their information in a systematic and cost-effective way. ISO 27001 achieves this through the adoption of an Information Security Management System (ISMS).
The ISO 27001 standard itself provides the requirements for an ISMS. The rest of the 27000 family of standards (comprised of more than a dozen standards) cover everything from auditing your security management system, to risk management, to detailed implementation guidance for a variety of security controls. Using these standards helps organizations leverage international best practices to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. Best of all, the standards are suitable for organizations and businesses of any kind.
Because it is an international standard, ISO 27001 is easily recognized all around the world. This makes the sharing of security program information with partners, suppliers, and auditors easier. It can also assist business opportunities with clients that have sensitive security requirements.
Which security control framework do I need?
If you have a security management program that covers how you measure risk and make security decisions, which framework you use for security controls guidance is really a business decision rather than a technical decision.
Security control frameworks differ in which industries typically require them, how comprehensive their controls are, and how prescriptive their controls are. The one you choose should be matched to which regulations you need to be compliant with, as well as the expectations of your partners and clients or customers. You want to choose a framework that helps you meet those business needs rather than having your framework “tail” wag the “dog” of your business objectives.
If you are using ISO 27001 for your security program, it typically makes the most sense to use ISO 27002 as your control framework as they are designed to pair together.
How do I know if my security controls are working?
Part of your security management program should be a process to periodically monitor your security controls for effectiveness. This forms part of the security reports that are reviewed by your security executive. These reviews and reports help them make both tactical decisions (“repair this control or process”) and strategic decisions (“add developing a compensating control to the roadmap”).
An external security assessment that actively tests the controls offers assurance that your internal monitoring is operating effectively. It can also provide recommendations and guidance for improvement that can help your executive team form the strategic objectives for your security program
What do I need to prepare before hiring an information security expert?
When talking to an IT security expert that you’re considering hiring, it can help to develop common ground. Help the discussion develop more quickly by having the following important information at hand:
- Impact: What would a breach of confidentiality, integrity or availability to your most critical information mean to your business?
- Readiness: What’s your current level of security program maturity? What related work has recently been performed? What level of internal support do you have?
- Drivers: Have you inventoried external drivers affecting your business, such as legislation, regulations. For example; PCI, FIPPA, PHIAPPA (Personal Health Information Access and Protection of Privacy Act), industry regulations, etc.?
- Governance: Any information on existing risk management or security committees or similar governance structures. An inventory of what policies you have developed and what their status is (draft, approved, recently reviewed).
- Information technology: High-level details on how your IT services are managed and secured.
- Business information: Office locations and number of people that host or have access to sensitive information.
What does a Chief Information Security Officer do?
Too much is at stake to not have Chief Information Security Office (or CISO) capabilities on your leadership team.
A CISO provides leadership and experience in information security, technical security controls, and governance. This helps build a strong security program and the ability to prevent, detect and mitigate evolving threats. They can help you to reduce risk, improve compliance, attract security-conscious customers, attract high-end staff, and manage existing resources and controls better.
A CISO works with your executive team to implement and operate your security program. They align strategic security objectives to business needs, develop a roadmap and support internal audits of program effectiveness. They communicate clearly with your senior management and provide security leadership to help your CIO and CFO understand the strategy and roadmap.
One way for smaller organizations to get the benefits of a CISO in a cost-effective manner is to use a CISO-as-a-Service. This provides the skills for companies that do not need a full-time CISO or wish to share with a group of related organizations.
What makes for a great CISO service?
SeekingFire Consulting Inc. sees the following traits as being of top importance:
- Board-level communications: Part of the job of the CISO service is to communicate directly with your board or senior executive. This will involve discussions on risk analysis and decisions, ensuring information security goals and objectives are being met, reporting on progress, and budget discussions. This is best done in the language of senior management, not “infosec” jargon. Your CISO service should be approachable, friendly, and easy to work with. Security is often complex, crosses all silos, involves risk decisions, and can be intimidating. Part of the job of your CISO service is have the right experience to be able to translate the jargon and build good working relationships.
- Ability to align security with business goals: The role of the CISO service is not to get in the way of the business but instead to enable them to perform their duties and pursue new opportunities in a reasonably secure manner. A great CISO service will align the security program with the mission values and purpose of their clients in ways that enable their business leaders to make effective decisions. The CISO service must always be aware of the balancing act between what is good for security and what is good for the business.
- Risk awareness: Your CISO service must always be thinking about and prioritizing business risks to ensure that progress is happening on the most important areas. This also involves being in touch with the direction the security field is moving and being able to translate that into business impact and requirements for their clients.
- Organization: There is a lot in the work portfolio of a CISO service! Your CISO service needs to be able to organize your security program so that you have a clear roadmap, business goals are aligned and the security program periodically re-aligned to emerging business goals, , controls are implemented and periodically tested, important gaps are addressed, records are kept, and more. This requires exceptional organizational skills.
- Patience: A great CISO service must always be aware that part of their role is to influence culture around risk and security tolerance and compliance. There is a limit to how quickly any organization can absorb such changes, and patience is the key to successfully achieving the objectives.
How do I use a CISO effectively?
A CISO service function is most successful when it is used effectively.
The CISO service, working directly with your senior management, fulfils a leadership role for information security. It is responsible for liaising with key stakeholders (senior management, key stakeholders and clients, regulators etc.), establishing security policy and direction, performing internal audits on the implementation of security controls, and most importantly for coordinating the governance of sound security decisions based on plans, internal measurements, and future objectives. The CISO service is accountable for ensuring that information-related risk is well understood and well managed to achieve the desired objectives.
It is important to understand that the CISO service does not directly perform operational security roles but instead ensures that their needs are analyzed and brought to the attention of your executive team. Similarly, the resulting progress towards pre-determined objectives should be measured and reported accordingly. When necessary, security gaps are analyzed and appropriate recommendations are made. This approach also ensures arms-reach during audits and planning activities.
Where should I start?
- Have a vulnerability assessment scan performed to find any “holes” in your IT infrastructure. This addresses only one aspect of security, but the report will include information on how to address any security issues found and help immediately improve your security posture.
- Have a security program assessment performed to give you an analysis of how mature your overall security program is. This will look beyond IT and will include security aspects such as compliance, human resources, asset management, and more. The report will also provide recommendations for improvement that are tailored to your business.
Didn’t see the data security answer or topic you were looking for? No problem. Email us at info@seekingfire.com or call us at 1-306-502-1116 — we’ll be happy to help!
SeekingFire’s Services
Data Security Consulting
Every organization has unique needs and challenges. SeekingFire Consulting creates custom programs to aid your team in management practices and policies. These plans are based on ISO 27001 and related international standards.
Click here to learn more.
Security Posture Assessments & Audits
A security posture refers to all of the aspects of your security systems and procedures, including software and hardware, networks, services, and information. Our assessment considers these aspects, as well as your organization’s ability to manage defenses and react and recover from a security breach. Our security posture assessment also includes actionable recommendations to address the discovered security gaps.
Understanding your cybersecurity posture is vital to protecting your organization’s sensitive and critical information from threats.
Find out more here.
Security Incident Response Plans
When everything goes wrong, we’re here to help make it right.
A security breach is an urgent emergency that often leads to the loss of crucial information and assets, not to mention lost productivity and revenue. We know that this is a difficult experience for our clients and we will work with you to help right the ship without judgement or blame.
Following remediation, we will work with you and your team to reduce future risks and prevent future threats.
Click here to find out more.
Vulnerability Scans and Network Security Analysis
Printers, phones, servers, computers, software, and firewalls… If it’s connected, it’s at risk. Seekingfire Consulting will audit the configuration settings of your connected systems, identifying vulnerabilities and providing recommendations for remediation. Early detection can save you the costs and stress of lost productivity and revenue caused by simple errors and oversight.
This service is sometimes called “ethical hacking.” Learn more here.
Remote CISO Service and Risk Analysis
Skilled and experienced CISOs are hard to find and expensive to hire. Our team is available to provide the support of a Chief Information Security Officer on a multi-year contract basis. We take responsibility for building your security management program, perform ongoing auditing and vulnerability assessments, and coordinating the governance of security (reviewing the reports/assessments and actioning where necessary). We become your trusted expert, providing guidance to senior management on your security roadmap.
This offering is sometimes called “Security as a Service.” Learn more about how we can help here.