How to start with an Information Security Program?

I'll give it a shot.

In a nutshell, the language is CYA in case you get breached or hacked and have access to their data, they can tell their customers "Acme said they had a security program and was protected so this is their fault".

In that case if you end up being the cause of them losing data, they can blame you.

That being said, its pretty standard contract language when companies are partnering or sharing data. Mostly its a "Due Diligence" type artifact.

Regarding your questions:

Can someone please translate the above quote into common English?

Basically you need to have documented security policies/procedures. Within those documents you should state what you do to maintain systems and ensure that adequate security is provided. You should also try and address actual procedures that touch on security related subjects (access control, auditing, monitoring, incident response, etc.). You may already cover some of this in your normal Standard Operating Procedures (SOP) and you can reference those documents. When you create a new user or change groups/roles, are there written procedures for how to to it? Is there someone who approves that change? Those are the kinds of things that should be addressed. When they aren't written down, people don't have references for how to do them and they take liberties which may introduce security vulnerabilities.

I read something about annual certification, would it be ok to say that our company should make use of a third party security auditor and let them tell us what we should do?

This is the route a lot of organizations take, but security is definitely not something that should be reviewed "annually". It is an ongoing, forever process that should be integrated into your daily operations. That being said, a third party group can perform an "audit" that serves as your annual certification. The result of that will be a report that you can used to fix deficiencies and enhance your security posture. Highly recommend this, no matter how mature your security program is. The first few times you go through it, use different vendors so that you can compare the results. The quality of these types of assessments varies GREATLY.

Who within our organisation would typically be responsible for implementing an Information Security Program?

They go by many names, but the ultimate responsibility of security will lie with the system owner. That could be your CEO, the program manager, or in larger organizations an ISSO or Information System Security Officer. In smaller organizations, it usually falls to a Product or IT Manager. Hiring a consultant to help start this process may be a good idea at this stage. You're only going to see these requirements more often as you start working/partnering with large enterprises.

I am thinking about recommending to buy ISO27001, but who should read it? (related to the previous question)

What exactly are you considering buying? ISO27001 is a security compliance framework that provides a direction for securing your assets/enterprise and as far as I know you shouldn't have to pay for anything upfront unless its a service or product. Choosing a compliance framework to base your program off of is a great first step in establishing a security program. I would personally recommend ISO or NIST as they are large international/national standards and have a lot of overlap with other compliance frameworks (PCI, HIPAA, etc.). That being said, I have no idea what your goals are so you'll have to do some research and choose what's best for your organization.

I've written a lot of documentation and done a lot of security control testing so I may be opinionated at this point, but if you have additional questions, feel free to PM me. Good luck!


Legal and contractual language is always complex and some times daunting to read that is why we sometimes gloss over the terms and conditions pages of products

For your question of where to begin

Here are few links from standard resources like NIST, SANS and ISACA each of these institute has a rich history in dealing with many facets of information security

SANS link:-

https://www.sans.org/reading-room/whitepapers/hsoffice/designing-implementing-effective-information-security-program-protecting-data-assets-of-1398

ISACA link:-

https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Critical-Elements-of-Information-Security-Program-Success.aspx

Now regarding the section of mail you referred to

I assumed your organization’s name is ACME

You will make sure of the following .

  1. You have your own Information Security Program designed and implement it and during the agreement period you will use it to prevent and reduce any risks identified either by your team or the customer`s team for any softwares or services.

  2. You will also protect customer confidential data that is given to your company or your employees.

For example :- In case of U.S it is prohibited by law to release an individual`s health records or his Social Security Number without his or her permission.

  1. You will make a detailed report the following

• Risk Assessment : - Identify potential risks to services and operation • Risk Management :- Suggests and implement methods to avoid or reduce the impact of identified risks • Establish control flow :- This deals with establishing and maintaining chain of command in case of an risk event in order to continue critical services without interruptions • Training :- To train all the related employees on safe and secure practices to handle data and also highlight best practices

Also establish a proper feedback mechanism to ensure the employees also play a part in establishing these practices. It pays a lot in the long run.

  1. You will protect the data from loss, destruction and alteration and prevent accidental disclosure of sensitive data.

  2. You will use encryption services to achieve this when the data is being stored in an u.s.b or while the data is being in use as this is mandated by government.

  3. You will also ensure that your security standards are at same level as that of your client`s for risks listed by any international standards like NIST or ISO (They are organizations that define what are the standard practices )if they are written down in your SOW.

Now coming to your question about certification I suggest two levels of auditing , one would be your internal team this gives your organization a chance to address security issues particular to your company and a third party auditor is always advisable as it boosts customer satisfaction .

And regarding who is responsible typically it would be the CISO i.e the Chief Information Security Officer. And at the project level it would be the Project manager and the dedicated security team.

Also once again I would iterate that it would be the users of that data who should be primarily careful about how they are handling it .

On the same note I would like to point out that any type of data can be classified as sensitive i.e there are wide variety of them like in case you mentioned that the prospective client is from financial sector then the term sensitive data might comprise of business transaction details or a deal value which might not seem valuable from a standard hacker point of view but would be very critical for your clients competitors.

Unfortunately I have little to no knowledge on your final query but I would suggest extensive market research before buying one as the standards might vary slightly if not substantially .


I responded to a lot of these. One thing jumps out:

ACME will ensure that the Info Security Program is materially equivalent to Customer’s own information security standards in place from time to time applicable to the risks presented by the Products or Services (collectively the “IS Standards”).

Get the customer's information security standards. Go over it line-by-line and note what can't apply to your organization.

Second thing... You likely do have an information security program, it's probably just informal. Your developers have passwords, you have an SDLC, you use change management, code review, you VPN into the office, you do background checks on employees, you ensure contractors don't use stolen code or pirated software, no shared passwords, you have AV on workstations, etc, etc.

Formalizing what you have and seeing if it lines up with what the customer is asking for might be all they need. You need buy-in from your executive of course and they may need to fund you if customers have specific asks (intrusion prevention, vulnerability scanning etc).

Also remember that their only alternative here is to go to your competition. If your competition has amazing infosec and a discount price, then you might have a problem, but chances are, they're in a similar spot, so don't worry about being perfect, just do as much as you can and try to improve the situation.

This will happen again, and again and again, customer after customer. Hopefully you'll get an infosec person by then.

ISO 27001 is a very lightweight document and takes a lot of experience to understand and interpret. I don't think it will help much. NIST and PCI might be more useful at this stage, but that's my opinion.