The single largest reason for breaches of information security is negligence by staff, according to a survey by Ponemon in 2010. Unauthorised use of software by employees accounts for over half of all information security incidents identified, according to 70 per cent of IT professionals in a recent Cisco survey.
Statistics like these are becoming commonplace and, while technological controls have a very important role, it is becoming very clear that the difference between good data security and great data security is all about human behaviour.
So the data security challenge for business today is how to build a management infrastructure that defines, educates, measures and delivers the behaviours that lead to great data security.
So what do we need, who needs to get involved and how? A seven-step plan can take you from an information security structure that makes headlines for the wrong reasons towards one that gets attention for the right reasons.
How to introduce and maintain an information security management structure
Step 1 – Find an executive sponsor
Without a suitable sponsor the project will fail. It probably won’t even get off the ground. The importance of an executive sponsor cannot be undervalued, a suitable sponsor will:
• Take responsibility for data security.
• Define the objectives of the programme.
• Provide authority for the programme.
• Promote and raise the profile of the programme.
• Find the resources required.
• Create the team and allocate responsibilities.
Engage a suitable sponsor and define the basic scope of the programme as your critical first step.
Step 2 - Build a risk team
Good security cannot happen without properly understanding the risks the security is trying to mitigate. Therefore risk assessment is the most important basic building block of any information security programme. If your business is already pursuing ISO27001 or DMA DataSeal, it will be benefitting from understanding and measuring the risks around your data processes in a structured way.
A small team of representatives from those areas that understand the movement of data through the organisation should meet on a periodic basis. Their brief should include documenting all the possible risks to data security and identifying what controls are required and in what priority. The team should use a simple, repeatable, method for risk assessment and the resulting assessment should be reviewed and signed off by senior management.
Importantly, the team should also meet after any significant breach or change in circumstances and update the assessment appropriately. Once the risks are well understood it should be possible to create a plan to deal with them.
Step 3 - Define the rules
Policies are the way a business implements the required rules for information security within the organisation. All too often, policies are produced which are seen as nothing but bureaucratic irrelevancies – this is a wasted opportunity. A well thought-out, clearly presented policy is the perfect tool for implementing real data security.
It’s common for both data security and acceptable use policies to be the primary method of communicating acceptable data security rules to employees. But this will only work when the policies:
• Are clear and easy to understand;
• Work with existing processes and don’t “get in the way” of getting work done;
• Address the requirements of the risk assessment.
These policies need to be revised and updated periodically to ensure they continue to meet the security objectives of the organisation. Once created, these policies will only work if employees understand their obligations fully.
Step 4 - Educate and re-educate
Failing to train staff adequately in their data security obligations is, unfortunately, commonplace. It seems a poor use of resources to evaluate risk, create and distribute policy only to fail to explain thoroughly the purpose and detail of that policy to those who are to implement it.
Training is another essential management tool for data security. Good training will start with induction, be repeated at regular, appropriate, intervals and will finish with reminding leavers about their continuing obligations.
Great training will communicate why data security is important and will demonstrate why it is in the interests of all staff involved for it to be right. Great training will be tailored for specific roles so it is relevant to those receiving it – one size rarely fits all.Training should be recorded and updated along with policy and risk. Getting the HR department on-side with data security is essential.
Step 5 - Ensure that breaking the rules has consequences
Breaches are inevitable, even the best security programme can only mitigate risks to acceptable levels, never remove risks entirely. When a breach happens, the priority will be coping with the immediate consequences. In the longer term, the organisation can also benefit by ensuring that a disciplinary process is followed, if appropriate.
Ensuring that disciplinary action is undertaken is important to maintain the credibility of the program. Breaking the rules must have consequences otherwise the programme will quickly fall into disrepute and fail. In addition to disciplinary action, the team may also need to learn from the breach and update risk assessment, policies and training.
Step 6 - Check it all works and do it again
Good information security is an iterative process. This means that the security organisation has to be concerned with a cycle of activity – normally this would be described as a Plan-Do-Check-Act (PDCA) cycle and is a commonly referred-to, four-step, problem-solving process typically used in business process improvement.
This really means that responsibility must be given to suitable individuals to check and monitor that security controls are being used, and that they deliver what is needed. Simply giving the rules alone is not enough - engaging the team in checking will increase adherence to these rules. The old management adage that “you get what you measure” is equally as true for data security as for any other discipline.
Step 7 – Engage the experts
Only the largest of organisations are likely to have the in-depth skills on hand to manage all the aspects of building a strong data security program.
The most basic way of getting benefit from the expert community is by keeping tabs on the latest tips, techniques, news and views in the media – this by itself can have a dramatic impact on effectiveness, with many fundamental security concepts being easily absorbed and incorporated into company policies.
Engaging directly with external training and information security consultants should help speed-up implementation of the security programme (leaving key staff with more time for their core duties). Additionally, a properly-experienced data security practitioner will be also be able increase the effectiveness of the resulting security programme, ultimately leading to fewer breaches and greater customer confidence.