“Structure is the recipe for success”
When preparing the journey to the cloud, information security work must be carried on in a structured manner. There is practically speaking no difference between the little firm on the corner that delivers locally or the big multinational company with operations in several countries and on several continents in a global market. Everyone has to handle information responsibly but how they actually do so will differ. How then do I get to this wonderful structured world and how is it maintained?
“You quite simply have to decide to work with information security in a structured way”
It’s rarely a matter of switching from a situation without any protection mechanisms in place to structured work methods. Most companies already have several different kinds of mechanism to protect information, for example antivirus software, an information policy, password-protected screensavers, locks on doors and windows, alarm systems, manned reception desks, etc. What actually triggers a decision to want to work in more structured ways varies widely. Regardless of the reason and what security mechanisms are in place, one needs to decide to begin.
“An information security management system (ISMS) is central”
When the decision to begin has been taken and a methodology chosen, I recommend that you have a look at the global informations security standard ISO 27001, which among other things prescribes an information security management system (ISMS).
The figure above illustrates a management system structure that describes the two overarching important elements that must be present in an organisation’s information security work.
The central responsibility that among other things involves defining and deciding what is to be protected on the basis of an analysis of business requirement and what requirements the various parts of the organisations are to comply with.
The distributed responsibility in the various parts of the business, that among other things involves evaluating what information is worth protecting in their specific field or area. Perform a risk analysis, develop and implement the protection mechanisms and report back on status.
When the journey towards a structured way of working begins, it is often a matter of creating the mechanisms needed to establish the central responsibility.
“Documented and repeated support is needed from top management”
When embarking on the road towards a structured way of working, it is essential to involve top management and the board. Both I myself and the standard recommend that a mandate be secured by means of an information security policy where the management team’s intentions and formal support for the information security work are clearly stated. The standard lists what the policy needs to contain.
In addition to these, I would like to add a few things that also need to be considered.
- The document should be no longer than 5 pages, preferably fewer
- The document should be able to be read and understood by everyone in the organisation. Have the marketing or information department check the language, tone and structure
- The document must explain why the work is important for the organisation’s business, customers or members, and how important it is that everyone contribute
- The document must not be written and owned by the IT department.
“The risk and vulnerability analysis is the heart that keeps the wheels turning”
To keep the information security work alive, some kind of pump is needed at the centre. In an ISMS, it is the risk and vulnerability analysis (3. Analyse) that is this heart. It is in this process that the centrally defined requirements are translated into security controls. The steps involved in the risk and vulnerability analysis are shown below.
Regardless of the size of the organisation, a common structure and a methodology for the risk and vulnerability analysis work are needed to be able to follow up the risk level at different levels in the organisation.
”Measurement is a precondition for improvement”
If it is the risk and vulnerability analysis that is the heart of the management system, it is monitoring and measurement of controls and the processes (5. Monitor) that bring in new oxygen. Detailed measurement at several different levels of the information security work provides a basis for change and improvement suggestions. Measurement and change are necessary to keep security at the right level.
“How do I begin my journey towards a more structured way of working?”
This depends a little on where you are at present. Ways forward might include:
- If you have definitely decided to begin your journey towards a more structured way of working, my advice is to secure support and a mandate from top management. Draw up an information security policy.
- If you already have an ISMS, an information security policy and/or a risk and vulnerability analysis method in place, I recommend you implement information security measurement and establish a benchmark against similar companies to test the temperature of your security efforts.
- If you are genuinely uncertain about what to do, I recommend you contact an information security advisor and arrange a workshop with your CEO, business owner, legal advisor, security manager, IT manager and marketing manager to determine the value of your company/organisation working with information security in a structured manner.
To end with, a tip for finding good Swedish sources of support and inspiration when drawing up an information security policy is to Google “Informationssäkerhetspolicy”. In particular many public players in Sweden have made their policies available on the web.
Please get in touch if you have any thoughts on the subject. My colleagues and I are happy to take part in a discussion on how your organisation is not only to survive but also be one of the winners in our wonderful new digitalised world.
Advisor in the field of business continuity, information security and security awareness, Enfo Zipper.