The EFPR Group of Companies

For over 60 years, our knowledgeable and experienced team of CPAs and business consultants have been serving individuals and businesses in Western New York and around the nation.

6 Steps for an ERM Information Security Program

Author: Michael C. Redmond  |   EFPR Group’s IT and GRC Consulting and Audit 

Protect your Information Assets

An efficient Information Security Program allows an organization to protect the information assets of an organization and to respond with speed and agility when the mitigation and protection is not sufficient.  A good program can empower businesses to maintain continuous operations. It also reduces revenue loss, reduces fines and lawsuits and protects brand reputation.

As a consultant in the areas of Information and Cyber Security, I have found that in some organizations, especially small organizations, the basics are sometimes forgotten.

6 Basic Steps

Below are 6 basic steps that should be considered by all Enterprise Risk Managers.

  1. Information Security, Governance & Risk, are all critical aspects of planning and execution of the Information Security Plan. It’s important to know who in your organization has key responsibility to develop an information security governance program.
  2. As a risk control, develop a process for reviewing existing Information Security policies and standards to ascertain their adequacy in coverage scope against industry best practices, and update them as appropriate, taking into account compliance recommendations.
  3. Establish Key Performance Indicators (KPI) to determine if your Information Systems program meets business objectives and operational metrics for ongoing process improvement.
  4. Tailor & enhance your existing security training program and requirements for specific audiences based on the sensitivity of the information for which they are granted based on policies.
  5. Strengthen IT Risk Management – Integrate Information Security risk management with enterprise risk management, including using common business terminology, congruent methods, and a common or linked risk register, and establishing mechanisms for risk acceptance.
  6. Build a regulation review process, schedule and regulation requirements matrix.

Summary and Next Steps

As I stated above, as a Consultant and Auditor in the areas of Information and Cyber Security, I have found that in some organizations, especially small organizations, the basics are sometimes forgotten.   Contact us today for more information about protecting your information assets.

For more information call

800.546.7556