Please research the process of setting up a Security Program within a medium sized organization. Provide...

Please do upvote if you found the solution useful. Your feedback is important to me.

20 things to accomplish while setting security program within a medium sized orgaisation are :

1. Take inventory of your data : Every firm should know, and have properly documented, what information they have, where it is stored, and precisely how it is protected.
2. Use a firewall : One of the first lines of defense in a cyber-attack is a firewall. The Federal Communications Commission (FCC) recommends that all SMBs set up a firewall to provide a barrier between your data and cybercriminals.
3. Train employees in key areas : acceptable use, password policies, defenses against social engineering, and avoiding phishing attacks.
4. Document your cybersecurity policies : While small businesses often operate by word of mouth and intuitional knowledge, cyber security is one area where it is essential to document your protocols. The Small Business Administration (SBA)’s Cybersecurity portal provides online training, checklists, and information specific to protect online businesses.
5. Encrypt your data : Secret, confidential, proprietary, and other types of secured data should be encrypted, at a very minimum, when in transit outside the firm’s firewall and while stored in any cloud environment.
6. Backup your data : Perform frequent backups and keep a copy of recent backup data off premises.
7. Identify zero-day threats and update security patches : An epitome of the constantly changing nature of cybersecurity threats is the phenomenon of the zero-day threat. Any previously unknown threat would fall under this classification. An example of this is ransomware attacks.
8. Double layer security : Defend your network behind your firewall – and make sure you can block rogue access. You don’t want the cleaning company plugging in a laptop at midnight.

9. Educate all employees : Employees often wear many hats at medium sized organisation, making it essential that all employees accessing the network be trained on your company’s network cyber security best practices and security policies.

10. Engage a third party for “white-hat” external and internal vulnerability scanning tests : The sheer magnitude and complexity involved in information security virtually ensures that some potential vulnerability will go undetected by the firm. It is therefore a solid practice for the firm, at least annually, to engage a third-party “white-hat” (i.e., good guy) hacking firm to conduct a vulnerability scan.

11. Explore and document previous hacking events : One of the best indicators of information security weakness is that the firm has had information security, or hacking, events in the past. The circumstances regarding the nature of previous hacking events must be explored and documented.

12. Hardware and Software Updates : Small businesses may not have the bustling bullpens that their large conglomerate competitors have, but they do utilize the same components regularly (i.e. desktop and laptop computers, mobile devices, etc.). Just like the large conglomerate companies, medium sized organisation need to cover their bases and keep their hardware and software updated.

13. Limit Access : Reducing risks in a small business also means limiting access for unauthorized personnel to company computers and accounts. Even a trusted employee shouldn’t be allowed to access computers and information that they are normally unauthorized to use.

14. Physical Planning Procedures : Start and end your day as a small business owner by physically checking your property’s perimeter. This will help you develop a heightened sense of awareness towards what’s normal and what isn’t.

15. Use multifactor identification : Regardless of your preparation, an employee will likely make a security mistake that can compromise your data.Using employees’ cell numbers as a second form, since it is unlikely a thief will have both the PIN and the password is good a approach.

16. Implement controls for data loss : If a hacker gains access to your organization’s system, the hacker will then attempt to exfiltrate data assets. The intrusion detection system (IDS), intrusion prevention system (IPS), firewall, and other tools used by the firm should be configured to monitor all outbound Internet traffic.

17. Automated Controls : All small and medium businesses battle against lack of time and resources. They are far better off running and monitoring solutions that offer automated controls in addition to threat identification and real time response. Should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done.

18. Treat Your Security Program Guide as a “Living Document” : The thing about cybersecurity is that it is constantly evolving as the threats businesses face change. Cybercriminals are endlessly creating new attack methods and tools to try and compromise your company’s data. So, your cybersecurity program should never be considered a “one and done” solution.

19. Building an IT Security Team : Any successful cybersecurity program will need personnel to implement and oversee it. This is where building an IT security team becomes necessary.

20. Don’t neglect regulatory requirements : You need to create a security program that fits your cybersecurity profile, but you also need to be mindful of regulatory requirements. Try to strike a balance between the two.

Summary
The most important things to do when setting up a new information security program are set out your objectives and a clear strategy, then use existing frameworks as building blocks. Make sure that you cover both regulatory requirements and the needs of the business.