Sign up to our newsletter
When talking about the types of information security issues that companies have to deal with, there are so many areas to look at that, at times, it can seem difficult to know where to start.
While there are specific standards that can be used as a guide for those starting out in the world of corporate security, there are three fundamental elements that must not be overlooked and which we can summarize as three simple steps that make up the ABC of information security.
The starting point seems obvious: trying to ensure the security of information assets. However, such an obvious thing can turn into a massive headache if it is not done in a way that is focused on the business. Having antivirus, a firewall, IDS, redundant servers and backup solutions are some of the main options on the menu, but it’s important to consider how everything fundamental to security can be aligned to help fulfill the company’s business goals.
It may be the case that convincing senior management to invest a considerable sum of money in order to comply with all the ISO 27001 controls will turn out to be a mammoth task—even bigger than implementing a security project. But once we understand that having a firewall that blocks internet traffic, or a policy that prevents USB devices from being connected to computers, could become an obstacle to the company’s operations, we are on the right track toward stopping the information security department from being seen as public enemy number one within the company.
Any change must be in keeping with the risk level acceptable to the operations departments.
Once you have taken the most obvious and most complicated step, which is to implement security technology and processes that support the business, it is essential to keep all the work that has already been done up to date. Just as the information security department must take care to ensure its implementations are aligned with the company’s goals, it is important for senior management to understand that this is not a short-term project, but one that needs to become a cycle of continuous improvement.
So, each new change should be made by taking a phased approach, so that it is possible to identify any problems and find solutions, to prevent them from impacting on the whole business. Starting with more experienced users can be a good way to gain feedback and improve the user experience for all employees. It is not sufficient to ensure that controls function well enough technically; it is necessary to verify that they are not a burden on employees or processes.
Perhaps one of the most critical issues for information security management to be successful is testing, which needs to be done on all plans prior to implementation, especially those relating to business continuity. With backup solutions, for example, it is common for companies not to test that their recovery is successful until an incident occurs, and in some cases, it turns out that they don’t work.
All the time and work invested in the above steps could be lost if the human factor is not taken into consideration. For this reason, it is vital to have adequate change management, since implementing new policies, processes and technology can often generate a certain degree of resistance among users.
The company should make adjustments with their employees in mind, training them so that they gain the skills they need to manage these processes and technologies, and this way, their activities can be kept appropriate to the new needs of the organization as its challenges change over time.
For example, if encryption technology is adopted, the company should not only implement the policy, but also present and explain the benefits it offers, or in the case of implementing two-factor authentication, which tends to be annoying or inconvenient for some users, it should also present the benefits and opportunities for protecting personal information.
Unfortunately, user education is an aspect of information security that tends to get little attention. So, management tasks should be focused on getting all employees to understand what security policies are in place and how to comply with them through correct use of the controls they have available to them. It is important to work toward information security becoming something conscious, so they can remember why it is important and what the consequences of failing to comply with the established processes are.
Clearly, behind each of these items, there is a huge quantity of material to be read, policies to be written, and implementations to be developed. So a formula of just three steps for implementing information security at a company might not actually exist, but by remembering this ABC, the task becomes more manageable. Additionally, it can help with making a start or refocusing efforts in relation to information security.
Picture credits: ©fotolia/nata777_7
Author Camilo Gutiérrez Amaya, ESET