How to Build an Information Security Program from Scratch

(Your Step-by-Step Guide)

Written by Ashley Gwilliam and Nicole Bushong on March 3, 2023

Share This Article

Revisiting your information security program has never been more crucial. 

Cyberattacks increased 38% worldwide from 2021 to 2022, according to a report by Check Point Research. While one could attribute several factors to the boost, evidence suggests ransomware gangs exploiting remote collaboration tools played a significant role. What does this mean for small to medium-sized enterprises (SMEs)?

Unfortunately, it suggests they should tighten their existing security infrastructures even more. A recent survey found 42% of small business respondents had been attacked within the year. 

Couple these unpleasant facts with the whopping $8 trillion in cybercrime costs that experts predict will occur in 2023, and it’s easy to see why many executives are now taking an interest in something that was a mere line item years ago. Mitigating risk can feel especially challenging for SMEs on tight budgets, but that doesn’t mean it’s impossible. 

If you’re currently navigating the rollercoaster of security implementation, we’ve got you covered. This article will discuss IT security frameworks, best practices, and compliance tips that will help you strategize the building or rebuilding of your information security program. 


The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

4 Steps to Building an Information Security Program

Compliance Virtual Diagram

Before we begin, let’s review the importance of considering governance, risk management, and compliance (GRC) when establishing an information security program. 

Most IT professionals aren’t compliance experts. For this reason, compliance sometimes feels daunting for IT teams to navigate. But the subject isn’t actually that different from security as many believe. 

When boiled down, compliance is a matter of defining controls. What is a control? A control is simply a policy, a process, or a technology. And frameworks can help determine which controls your organization needs. 

For example, the National Institute of Standards and Technology (NIST) offers a common framework that provides standard operating controls required for holistic corporate security programs. Though NIST is more focused on government standards, it’s a great guide for budding programs, especially for those who aren’t familiar with writing controls. 

Compliance Tip: When it comes to cloud security, research frameworks that align with the specific provider. For example, AWS has the Well-Architected Framework to guide users on the controls necessary to secure cloud infrastructure.

Now, let’s move onto the basics of how to build an information security program from the ground up. 

1. Attain Visibility

Security requires visibility into the inner workings of an organization. When approaching a new program, establish insight and documentation around the following:


Areas without adequate logging and monitoring create potential risks. Use the following process to identify these gaps:

1. Investigate:

  • What log sources exist in what applications? 
  • How are these logs retrieved? 

2. Create a matrix documenting:

  • Priorities.
  • Technology and service source.
  • Location.
  • Frequency.
  • Input/Output methods.

3. Establish log monitoring automation

  • It’s essential to execute on plans to keep up with log monitoring for effective security monitoring. 

Data Flows

Admins must know what data is stored and processed through what systems to maintain both security and privacy. Investigate your data flows by interviewing data owners and developing data flow diagrams. 

These diagrams should document what data travels through the company’s environment and where it travels. This process will identify any areas where data has been mishandled and enable scoping for different compliance needs.


Knowing who has access to which systems is pivotal to protecting the data stored in them. Access and permissions should always align with the following two principles:

  1. Separation of duties: The principle that no one person should have enough access to misuse a system on their own.
  1. Principle of least privilege: The principle that users should be given the least amount of access they need to do their job.

Start by creating an access control matrix to help with: 

  • Onboarding and offboarding by helping IT personnel keep track of access and permissions for all the roles in the organization.
  • Identifying and correcting gaps, especially areas where the principles of separation of duties and least privilege are violated.
  • Providing evidence of controls around authorizing access is helpful for tracking compliance efforts. 
  • Tracking vendors. Consider using this access document to aid in creating a vendor list. 
Programer Working on Desktop Computer

2. Assess Risk

Throughout the process of building out visibility documentation, take note of any risks you identify by starting a risk register. Managing risks requires an element of project management: risks should be documented, and plans to address them should be tracked and managed. 

Your risk register should include everything you need to know about each risk, including ownership, plans for mitigation, deadlines, and more. For example, your risk register might include:

  • Risk ID and description.
  • Likelihood, impact, and severity of risk (i.e., 1-5).
  • Treatment plan (i.e., mitigate, transfer). 
  • Mitigating action steps.
  • Corrective action plan.
  • Specification of results.
  • Owner and approver for risk’s remediation steps.
  • Progress, due date, and completion date for specified remediation steps.

These categories are not exhaustive; your risk register may include additional data specific to your organization. Risk assessment shouldn’t be a one-and-done activity, but rather an ongoing analysis. 

Continue to document and assess risks in the risk register with the process above when they are identified. This will keep the register up to date and functional, allowing it to inform decisions on which projects to prioritize based on their ability to reduce risk. 

3. Define and Implement Controls

Here’s the fun part — making the magic happen! 

Each risk that is mitigated results in new controls or improved existing controls. Remember: a control is a policy, process, or technology. Each control must be defined and implemented. 

For example, a risk such as “terminated employees retaining access to work accounts” will result in creating or improving employee offboarding processes, which may require a piece of technology — like an identity management platform

Then, those new controls should be added to policy, which authorizes and communicates the requirements throughout the organization. The processes listed above, along with the regulations and frameworks that your company adheres to, should act as guidance for defining your controls. 

Control Challenges You May Encounter

Sometimes, making controls a reality is easier said than done. Implementing controls can be difficult — especially when working with a sprawled IT environment, which is fairly common in SMEs. Controls often span multiple areas and functionalities; in the previous example regarding terminated employees, for instance, mitigations result in both HR and IT controls. 

Similarly, a control like keeping policy up to date requires leadership from many departments. And controls like access requests, security training, and policy acknowledgements require every person in the organization to be successful. 

IT consultant being setup Virtual Document Management System (DMS) with laptop

In a sprawled environment with many point solutions rather than a few centralized and robust ones, data sometimes gets lost in translation. 

Information and processes may not transfer seamlessly from department to department, and tools may not successfully carry data from one point to the next. The result is gaps in visibility and communication, which create new risks and inefficiencies. Having a central platform where you can implement and manage controls that span the entire organization is critical for effective, long-term security. 

For example, JumpCloud and CrowdStrike are designed to integrate seamlessly together to unify everything from identity and device management to endpoint detection and response (EDR) into one platform. This makes it easier to apply and monitor controls in one place while avoiding the risk of gaps in execution and visibility. 

Learn more about unifying your environment with JumpCloud and CrowdStrike. 

4. Establish Policies

Policies communicate controls with the entire organization. 

Ensuring user understanding and adoption of controls is critical to maintaining a secure environment; after all, users are security’s first line of defense. Having users review and agree to policies on at least an annual basis will provide awareness and accountability to all users in the organization.

Don’t forget to train users on the processes they need to comply with to protect against potential threats. Processes can range from reporting social engineering, to securing their home networks, to establishing strong authentication practices and requesting access via the right channels.

5. Repeat

Finally, IT security should be a holistic and iterative process: programs should be continuously improved upon. Fortunately, it doesn’t take a full third-party audit to check up on your security. 

For the SMEs that can’t afford a third-party audit when they start off, internal audits can be highly effective in gaining visibility into control consistency. Findings from these audits can be used to inform risk assessments and planning mitigations.

Get Secure and Compliant with JumpCloud

The best way to streamline your efforts — and cut costs — is to use the JumpCloud Directory Platform. JumpCloud combines identity and access management (IAM), mobile and device management (MDM), password management, and more under one pane of glass. 

It also provides some seriously convenient reporting options to satisfy auditors come compliance time. Want to learn more about how to get your environment compliance ready? 

Click here to visit our IT Compliance Quickstart Guide

Ashley Gwilliam

Ashley Gwilliam is a Content Writer for JumpCloud. After graduating with a degree in print-journalism, Ashley’s storytelling skills took her from on-camera acting to interviewing NBA basketball players to ghostwriting for CEOs. Today she writes about tech, startups, and remote work. In her analog life, she is on a quest to find the world's best tacos.

Nicole Bushong

Continue Learning with our Newsletter