Integrated Finance has a comprehensively documented Information Security Policy which incorporates the entirety of the enterprise and features risk assessment, hardened configurations, vulnerability remediation, and incident response controls.
- Policy framework
A comprehensive approach to information security is essential to protect the interests of Integrated Finance, as well as the interests of its customers and vendors. Cybersecurity risks are ever-present and growing in sophistication, so preparation to meet these challenges must be measured against stringent requirements. It is for that reason that Integrated Finance has mapped its Information Security Policy to the Cybersecurity Framework of the National Institute of Standards and Technology (NIST CSF). Most specifically we are aligning our security controls against the moderate baseline set of controls found in the NIST 800-53 Rev 4.
The various policy domains are supported by multiple standards. These standard documents outline specific requirements, called "controls," to be met by internal teams, vendors and/or partnership that we commit ourselves to. Ensuring that each stakeholder meets these mandatory controls creates a uniform approach to information security across the entire enterprise. Security standards and controls are administered by the Integrated Finance Security team, who serve as subject matter experts and provide a central authority for standard implementation. When each business engineering team implements standards in a uniform manner, the Integrated Finance enterprise as a whole is more secure against sophisticated cybersecurity threats.
The specific, mandatory security requirements outlined in each standard are called controls. The controls in each Integrated Finance standard come from a library of security requirements within an overall Integrated Finance "Unified Control Framework" (UCF) that is specifically formulated to both implement security best practices at a granular level, and align with the NIST categorisation of security standards. Engineering teams are expected to view the security controls of each standard as mandatory, and implement them with the guidance of the security team.
Documented procedures are used to guide and standardise implementation of the controls listed in each standard. Just as standards and controls must be uniformly adopted across Integrated Finance, the procedures supporting them are implemented the same way across the engineering groups. These procedures have two levels of granularity: Standard Operating Procedures (SOPs) and Runbooks.
- Standard operating procedures (SOPs)
Standard operating procedures are step-by step workflows for security processes. Each workflow incorporates both generic tasks (e.g. "peer review") as well as more detailed sub-steps (e.g. "distribute to peer business sponsors via email"), along with an official process flow diagram. It is generic enough to be applied to any software project and/or product development effort for the same information-security oriented task. Such procedural documents are key to effective management of a security control in a more global distributed remote workforce.
Runbooks are the most granular approach to procedures supporting information security standards and controls. They are position and team specific instructions meant to convey the greatest detail possible. Ideally, a brand-new, untrained employee could follow the steps of a runbook and accomplish its end goal.
Documented guidelines are aspirational best practices for information security controls and procedures. Over time, as expert Integrated Finance employees have engaged with this framework of security measures, they developed improvements to mandatory controls and procedures. These improvements may improve the security profile of their team, ease control adoption, or address gaps in formal protection mechanisms. Integrated Finance has compiled these suggestions and built "best practices" documents that are not mandatory for adherence but may help each engineering/product team to be as secure as possible.
- Security review
The Security team acts as the stewards of policy and standard documentation that is to be applied across the enterprise. Each document is reviewed at least once annually for updates and changes due to new requirements. They also store the documentation and ensure it is properly applied, in coordination with engineering and product development and/or external subject matter experts.
A key advantage of the Integrated Finance enterprise policy and standards documentation approach is that documents can be brought into alignment both internally and with external regulations or expectations. While the overarching policy framework is intentionally aligned with NIST, various controls and procedures account for the treatment of particularly sensitive or regulated data and its storage or processing. For example, GDPR and/or DPA 2018 (UK GDPR) protections are embodied where appropriate, and provide proof of fully integrated compliance with these important regulatory regimes. Furthermore, contractual obligations, including PCI DSS and Standard Contractual Clauses (SCCs), can be addressed through proper documentation.
- Where can I get further information?