Disclaimer: I have changed some key details to protect the privacy of a former client. However, the mainsentiment and methods remain the same.
Iorchestrated a jewel heist a few years back.
Yes, you read that correctly.While claiming a mysteriousformerlife of crimeis always intriguing, the truth isit was all in the name of complianceand I had explicit(albeit lessinteresting)permission from the jeweler’s CEO.
Don’tget me wrong,I was no Box Manin thisscenario.Ididn’tneed to be, especiallysinceI’dbeen privytothe common securityinconsistenciesof thejewelerin question.
My job was to create, deploy, and enforce security procedures.WhenI’dnoticed that theemployees had notbeen followingthese proceduresasstrictly asI’drecommended…I had to try a differenttactic.
Imade mypointthe dayIsmuggled$20,000in inventoryfrom the main vault.The loss was enough to constitute a termination, and somehow this made themkeenerto heed my security warnings.They’dmade amajor proceduralmistake by leaving the keys and safe combo in the samelocation.They’dserved me thekeys to the kingdomon a silver platter.
It was the easiest $20,000 I’ve ever made. Oh my!
For the record, I returnedtheassets, but takingthemhadbeentooeasyand ittroubledme.
As a compliance expert, I have seen confusion and lax attitudes surrounding information security programs. I’m referring to the policies, standards, procedures and guidelines that make up the program.
Before we diveintodifferentiating these four components, weneed to first understand what aninformationsecurity program is andwhy it iscritical foryour overall businessoperations.
What is an Information Security Program?
An information security program consists of the policies, standards, procedures, and guidelines your organization uses to protect criticalITassets,data,andother business processes.This program works because itidentifiesthe factors that are orcould impactthe security of your assets, allowing you to create or alter policies, standards, etc.that directly addressthe issues.
Stealing the $20,000in precious gemsand metalsallowed me to expose the vulnerabilities within thejeweler’s information security program.In this case, the lack of procedural follow-through was the culprit.Customized and targetedsecurity measurescan reduce incidents,eliminatevulnerabilities, and enhance your overall securityposture.Each component has a vital role to play in keeping your business operations secure.Let’sstartwiththe foundation:policies andwork our way upto the guidelines.
Policies: The Institution-Based Rules That Protect Your Assets
Policies are the foundation of any businessand are necessary for creating a structurally soundand smooth-running organization.Policies are broad,high-level statements that provide direction and are typically flexible, but do not often change, as theydon’t covertheever-evolvingnitty gritty of day-to-day operations. You can have a high-level viewof your Information Security Program if you have policies in place.
An example of a policy couldbe,”thejewelvault must never contain over $50,000in asset valueat any given time.”This policy would require procedurestomeet andmaintainthis policyanddirect thestaff.
Standards: The Mandatory Obligations to Protect Your Assets
Just like youcan’tinstall theelectricalcomponents of your home without a certified electrician to ensurecompetentexecution, youcan’trun your business without meetingstandards. These can be compliancespecific,quality-specific (ISO), or otherwise.A standardspecifies consistent usesforcertain technologies or configurations. Some commonstandardsincludeCybersecurity Maturity Model Certification(CMMC), Federal Information Security Management Act (FISMA),Health Insurance Portability and Accountability Act (HIPAA), ISO 22301, ISO/IEC 27001, among many others.As you can see, you adopt, implement, and abide by the standards thatare applicableto your business.While standardsdidn’tdirectly apply to thejewelvault situation, the standard would be thestaff’s obligation to the protection and privacy of customers’data and assetsas dictated byregulatorycompliance.
Procedures: TheActionsYouTake to Protect Your Assets
Procedures arespecificdetails or instructions onhow toaccomplishdesired tasksandgoalswithin yourbusiness.Consistentproceduresare essential to every business as it improves efficiency and decreases error.As I mentioned above, thejewel heistwas made possible by a procedural error from the staff. The procedure was to ensure vault security, store the code and the key in separatelocations.Proceduresare subject to change asyou deploynewtechnology, yourcompanygrows,youacquireother companies, orother companiesacquireyourbusiness.
Guidelines: The Best Practices You Can Use to Protect Your Assets
Guidelinesare essentiallyrecommendations andthat you’dtypically applywhen a standard doesn’t exist. You should considerguidelinesas best practices.Going back to thejewel heistscenario:aguideline would be,don’t leave the combo in a drawer that customers see you go into every timebeforeyou walk intothevault. People are smart. They will put 2 and 2 together to realize that they are always grabbing the same combo from the exact same place.
Another best practice or guideline that I see often (or don’t see often) is employee password protection and management. The quote “Passwords are like underpants. Change them often, keep your private, and never share with anyone” is a great example of a password management guideline.