Strategy for information security

This year has seen a spate of news about information vulnerabilities, reports of hacking and the different responses that companies have employed when dealing with a breach. Since it is clear that even the largest companies are not invulnerable, how can a company protect its own information practically, or the information of a client?

Can you be confident that your information – and your clients – is secure?

The reality is that while a lot of the responsibility lies with the IT function to provide technological barriers, there is little guidance on how to establish a strategy for information security and corporate policies that can be easily justified to your staff, clients or explained to external regulatory bodies. Without a structured means to establish a set of policy guidelines, you cannot be confident of the security you have and you will not be able to justify your security policies.

Develop a comprehensive strategy for information security in a workshop

Running a one day information security strategy workshop with your staff can help ensure that you have appropriate and effective policies in place to maximise the security of your information.

Benefits

  • Improve confidence in information security – by undertaking a structured process to examine likely threats to information security you can improve confidence that the policies put in place will be effective.
  • Demonstrate best practice – Security of information is increasingly important to your clients; by using a structured methodology you can demonstrate your leadership to others.
  • Gain buy-in with colleagues – Security controls can be seen as a barrier to getting work done; by involving people in the process of developing the policies, they will understand the reasons and provide increased support.
  • Awareness – One of the most effective methods of increasing information security is to make people more aware of the issues. The workshop format, involving a cross section of people in the company, will dramatically increase awareness and understanding.
  • Increase application – The workshop will foster support and application of the controls you put in place.
  • Security Challenge – If you are challenged over a security incident then the risk assessment work done can form the basis of the investigation, finding out which controls failed and why, or identifying hazards that were not considered, enabling effective updating of the policy to improve protection in the future, or to show that no breach occurred from your organisation.

Risk management

Risk assessment is a business process that can be used to justify and prioritise action. A risk assessment of a business process or activity starts by examining the things that can go wrong – the hazards. For each hazard identified a likelihood (how likely is the hazard to occur) and consequence (what happens if the hazard occurs) is applied.

The combination of likelihood and consequence is the “risk” – usually expressed as a simple scale such as Low, Medium, High and Extreme.

The risk assessment then proceeds by examining the mitigating actions that can be used to prevent (or reducing the likelihood of) hazards occurring, or actions that can be used to reduce the consequences should the hazard occur.

The mitigating actions are implemented and the activity is monitored and the risk assessment reviewed regularly to ensure it remains effective.

Risk management, used for a long time in the financial industry and as a means to ensure safe working practices, for example on a construction site (See Health and Safety Executive for an example), can be used very effectively to establish a Information Security Strategy and policy.

Approach

Normally run as a one day workshop, Sauve Solutions will work with a small team of your staff and apply the risk approach to the different types of information your company manages to develop a strategy for information security. The workshop starts with a short session explaining the Risk Management Approach to ensure that everyone has a common understanding of the tool before progressing into looking at the specifics of your business and the information it holds.

Based on this structured assessment the day will produce a framework that can be applied in your business as a means to establish and explain policy.

Typical outline of workshop

Description Duration
Introductions 15 minutes
The risk assessment process 1 hour 30 minutes
Information types 30 minutes
Hazard identification 1 hour
Risk assessment 2 hours
Mitigations and policy development 2 hours

Depending on the type and size of the organisation more time may be required – this will however depend on the number of Information Types that are considered. The scope can be effectively controlled by considering a department with a smaller number of information types.

Who should attend

To ensure the workshop is effective, the attendees should be drawn from across the different business areas, a maximum number of 10 should be considered appropriate. Representatives from Business Development, Sales, Manufacturing, Service Delivery, Legal and IT should attend, which will help ensure that the findings represent the wider business. Those attending can then be nominated as champions for information security when returning to their normal day to day work.