Information Security is a taboo subject for many businesses. Business owners realize the importance of protecting their data (and consequently their customers’ data) but believe they are too busy to implement a robust Information Security Framework. They simply do not know where to start or how much detail they need to consider. It may seem like a lot of work when the main focus is bringing in revenue. But security of your data can not be an afterthought.
Many companies now have Information Security standards built in to their procurement policies and will demand you successfully pass an audit before they will contract with you. Wise investors will want to understand the risk they are taking with their investment before releasing their funds. An Information Security framework is not something you can put in place retrospectively as you are required to provide evidence of compliance. When ignored, the lack of an Information Security framework can have a direct impact on revenue and/or investment.
So why do so many business owners still shy away from this topic? Because they see it as a huge task that they do not have time for and they certainly don’t want issues brought to their attention they can later be accused of ignoring.
But the truth is there are 5 very simple steps any business can follow which will put in place the foundations of a solid Information Security Framework and set them up for future audit compliance.
1. Assign responsibility – This may seem obvious but most organizations (even some large ones) don’t always publish a clear statement about who is responsible for Information Security within the organization. By default it falls to the CTO or IT Director when in reality IT Security is only a subset of what is required for an effective Information Security policy. Simply publishing a document, such as an Information Security Charter, that clearly spells out who is responsible for implementing Information Security policies within the company is a significant step. Indeed some regulations, such as HIPAA, require it.
2. Publish a policy even if it’s only 1 paragraph –An Information Security framework is made up of a collection of policies and procedures. But a framework is not implemented in one fell swoop, rather it is built up over a period of time. The difference between small organizations and larger ones should not be that one has policies and the other doesn’t. It is only the level of detail in the policies that should vary, with more being added as an organization matures. Start by setting simple policy statements such as “all computers must be password protected” and then over time details can be added about password complexity or how often the password should be changed. You will be amazed how quickly your framework develops with just a little maintenance.
3. Set up a single place to store policy documents – Once documents are published and sent out it is easy to forget about them and even easier for employees to ignore them. Make sure you store the documents in a prominent location making it easy for employees to access them. This will encourage you to keep them up-to-date and mean employees are more likely to review them.
4. Training & Education –Training employees on polices and keeping them up to date with the latest threats does not have to be hard. Sign up to monthly newsletters such as SANS’ Ouch! which includes a different topic every month and share with your employees. At the end of the year use these plus your latest polices and repeat some common favorites from previous training sessions to produce your training material.
5. Compliance – Policies need to be followed and employees must understand their responsibilities go beyond attending security training and acknowledging the occasional policy document. Create a culture of compliance in the workplace by using calendar reminders or scheduled tasks to remind yourself and others of key activities such as cleaning up access lists. If your company has a ticketing system, schedule tickets to ensure those assigned have to close the ticket with an acknowledgment that the task was complete. This not only allows you to keep security front of mind, but also provides you with auditable evidence that policies are being followed.
It's as simple as that. Now go ahead and take that Risk Assessment knowing you are on your way towards compliance.
For more information about taking a High Level Information Security Risk Assessment contact us at firstname.lastname@example.org.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.