Tuesday, 30 July 2013

What are the Corporate Implications of IT Security Policies?

What are the Corporate Implications of IT Security Policies? 

It's fairly easy to declare an information security policy such as "information is a valuable asset and must be protected by all personnel"; but what are the implications to your company of such a policy.

For starters it means people must recognize that information is a company asset and has value, that it includes electronic and physical information as well as the spoken word, that it must be protected from unauthorized disclosure, and that no one is exempt (including the CEO and the board).

This then implies people have to treat information accordingly based on its sensitivity and therefore a need for handling guidelines is required. To treat it accordingly they'll have to know its sensitivity which requires that the assets be labelled and therefore a need for a classification standard and labelling procedures (how will paper vs. a USB stick be labelled?).

Will you use security levels such as public use, internal use only, confidential, and restricted?

Throughout the life cycle of the information will its classification level change? If so what are the processes required to ensure this happens? Now you have to teach all of this to everyone (the policy, standard, guideline, and procedures). What will be needed in the awareness and education packages? Who will get what level of training? ... not everyone needs the same amount of detail; what types of employees do we have; are some folks grandfathered in?

Who's going to make sure all of this is going to happen, who is responsible for ensuring the policy gets implemented; is a chief information security officer (CISO) needed? Regular audits will be required to ensure understanding of and adherence to the policy!

But hold on ... what about the criticality of the information (the integrity and availability requirements)? What we've been talking about so far relates to the sensitivity of the information. What classification structure is required for integrity and availability levels? How will IS systems and processes meet criticality needs?

What are the proper handling methods to use, the proper systems to implement, and the proper processes to develop? .Well you're going to have to use risk management procedures consisting of: identifying categories of information used, identifying all information assets, identifying the asset owners and users, and then ensure proper protection for sensitivity and criticality by using threat-risk assessments that drive the security controls.

The most important requirement is ensuring that you keep this Information Security program on track and that it meets company objectives. This means you will have to define a strategy that lays out a multi-year road map to a successful conclusion. The measurement of success requires a list of objectives along with defined measurements for each objective,  plus measurements equals metrics. At the end of all this you'll be able to ensure the right people get the right information at the right time for the right reason!

Author: Donald Johnston
Source: Link

1 comment:

  1. Thank You I use to work for IMB and this is so true