The answer to this question may seem obvious. However, small- and mid-sized marketing research firms have a lot of competing priorities. “Client Acquisition” is usually close to the top of the list. New clients mean additional revenue, profits, and resources. But, security and privacy requirements can quickly increase client project costs and risk for organizations that are not prepared.
New customer contracts often stipulate minimum thresholds for information security and privacy controls, policies, and procedures. They may even require certification or attestation with industry-standard security or privacy frameworks (CIS, SOC 2, NIST, HIPAA, CCPA, GDPR, etc.). Smaller organizations focused on acquiring new clients will typically accept these terms without fully understanding the impact on their business operations.
Client-led policies will work for a while, but long-term, they are not scalable. The more clients you add, the more complex your security program becomes. Before you know it, your operations team is overwhelmed with tasks (audits, reporting, etc.) from multiple security initiatives and frameworks. A more proactive approach to security and privacy policies and governance will simplify operations, reduce costs, and minimize risk.
Even if your clients don’t require a formal information security certification, it is a best practice to use an industry-standard framework as a guide when building proactive security controls and procedures. This way, as you build your security program, it will easily align with certification requirements down the road. We recommend the ISO 27001 framework because it’s a universal standard and maps well to other frameworks and client requirements.
We also recommend using a cloud-based portal to track and report on the progress of your security program. With a portal, you can simplify the management of policies, controls, owners, tasks, deadlines, budgets, documents, and notes. Some portals can also cross-reference your security controls with the requirements of other frameworks making it easier to produce reports and obtain multiple certifications. Long term, your portal dashboard also allows you to track the maturity of your security program.
Information security governance is a board-level responsibility for building, managing, and reviewing internal security policies and procedures. This strategic effort is generally managed by a cross-functional executive committee representing finance, operations, sales, human resources, and information technology. The purpose of the committee is to ensure that all security policies align with your business objectives. A governance process is essential for managing risk and complying with legal, regulatory, and contractual requirements. A governance team should audit and review their security controls, procedures, and incidents regularly.
The role of the Chief Information Security Officer (CISO) is vital to the governance process. From our experience, organizations with dedicated information security leadership seem to be able to operationalize client security requirements better than those without a security executive. Information security is not an IT function. The most successful organizations have their information security resources in a stand-alone department or reporting to the CFO or COO. Smaller organizations can leverage a Virtual CISO to gain the benefit of a strategic leader capable of driving proactive security initiatives, incident response, compliance, and governance at a fraction of the cost.
Based on your current client requirements, your information security program will be unique to your business. Consolidating your customer requirements and remaining proactive is the best way to operationalize and manage your security program components. Internally, your security program should be a well-known and well-documented process. Through training, everyone will understand their role and responsibilities when it comes to security. In ISO 27001 terms, your security program is an Information Security Management System (ISMS). As your program matures, the best practices found in the ISO 27001 ISMS framework will continue to shape your policies for how you manage and secure your internal, vendor, and client data.
Your governance committee is responsible for creating and publishing the rules for accessing and using your company’s IT assets. These security policies are unique to your company because they reflect your organization’s assets, risk tolerance, culture, industry, and regulations. The components of a security policy describe who, what, where, why, when, and how—organized into the following sections:
- Document Control
Security policies are in place to preserve the confidentiality, integrity, and availability of the organization’s systems and data. They act as security controls applied to humans—primarily your employees and suppliers. Security policies are living documents and should be modified as the business or business conditions change.
At any time, your clients reserve the right to audit your internal security controls, procedures, and policies to confirm that they comply with the contract terms. In a proactive security program, we recommend that you assign an individual the responsibility of studying all of your client requirements as they relate to information security. That person’s role is to organize internal client kick-off meetings at the beginning of new projects to make sure that everyone understands what is required and how it may be different from standard operating procedures. During the project, this individual would perform audits to make sure the team was following the client requirements and submit corrective actions for any findings out of scope. At the end of a project, they would organize wrap-up meetings for post-project reviews and data retention policies. Having a dedicated client compliance specialist helps you avoid being in breach of your contracts. Ezentria offers this role as a service for organizations that require it.
Client Contractual Requirements Matrix
The way that your client compliance specialist manages all of your client agreements and requirements is through a Client Contractual Requirements Matrix (CCRM). The matrix captures business information, project standards, information technology, and information security requirements from all client agreements. The matrix is very detailed and may include a hundred or more contract requirements. The client compliance specialist will assign a value and color code (red/yellow/green) to each element for a visual representation of the organization’s ability to meet the client requirements. The matrix helps to operationalize the client requirements for each project and the corrective actions required to gain or remain in compliance.
Reviewing the status of your security program with the governance committee is crucial. Management Review Sessions address the suitability, adequacy, and effectiveness of your security program. Management Reviews should occur regularly (weekly, monthly, or quarterly) depending on the business requirement. A typical session will include:
- Review of the previous action items
- Changes in internal and external security
- Feedback on security program performance
- Corrective Actions
- Audit Results
- Fulfillment of Objectives
- Feedback from interested parties
- Results of risk assessments
- Status of risk treatment plans
- Opportunities for continual improvement
The goal is to continually improve security operations through assessments, corrective actions, and policy refinement.
The fact is that new client information security requirements can be daunting. You need a way to minimize your risk and quickly deliver on the terms of your client agreements. Using Policies and Governance, you can align your organization to take full advantage of the best practices that come with an industry-standard framework to reduce redundancy, streamline operations, and deliver a universal security program. With this proactive approach to information security, you will no longer disrupt your business every time you add a new client.
Ezentria can help you determine the best way to implement a flexible ISO 27001 framework that matches your clients’ required security standards. We also offer the information security services you need to compete with larger organizations.
If you have any questions, need assistance, or would like to start with an assessment, you can reach us at firstname.lastname@example.org. Our next post in this newsletter will be in August.
Until then, be safe and secure.