If you still haven’t found a reason to seriously consider writing or re-writing your organization’s information security policy, listen to this terrifying statistic. According to the Ponemon Institute, a whopping 43% of companies have experienced a data breach within the last year. The independent institute that does research on data protection and information security also found that the number of incidents is up 10% from last year. While the implementation of data security measures is on the rise, the Ponemon Institute found that 27% of companies didn’t have a plan or team in place in the case of a data breach. What is more, among those who did have such a plan in place, only 30% believed that their policy would be “effective or very effective” in such an emergency.
So whether your organization has yet to implement an information security plan or you have one but it has been collecting dust for three years, here are a couple steps to take to improve upon or make a start on your information security plan.
- Look Beyond IT Too often, information security is framed in an overly technical light. While the technical aspect is critical, it is not the only context needed to fully understand which information is most vulnerable. By shifting the emphasis to business processes, you create a broader perspective that allows the security team to understand how information moves throughout the organization, which helps them to make decisions about which security controls would be most effective.
- Document Business Processes A full understanding of business processes requires documentation. Process documentation has to be a collaborative effort between the personnel and the security team. The business value of the information is lost upon the security team, while the potential threat doesn’t register as strongly to the owner of the business information. Additionally, documentation will play a major role as your information security plan matures. Evidence-based controls assurance is increasingly becoming a required competency for security teams. What is more, proper process documentation will ensure that audits will be more efficient and less disruptive to your organization.
- Reduce Complexity Through Automation The most successful information security plans are those that can be executed. For that reason, it is crucial to ensure that it is simple for everyone to follow the instructions for securing their data. Automation goes a long way towards reducing complexity. For example, it is easier on your organization if you have a central policy engine that decides whether an email needs encryption, so that all the user has to do is press send.
- Don’t Forget Internal Threats While organizations certainly need to protect themselves and their information from external threat, company policy also needs to reflect the reality that internal threats can be as large as external ones. Damage can be done by personnel both consciously and unconsciously, so security measures and training programs need to be implemented to mitigate that risk. It is important to remember that workforce adoption of the security measures is critical, because an information security policy is only as strong as its weakest link.
Does your organization already have an information security plan in place? Have you ever weathered a serious data breach?