Saying you’ve done something doesn’t necessarily mean you’ve actually done it. Almost every data breach begins with an organisation saying they were secure until a crook comes along and shows them otherwise.
This is one of the biggest problems facing the cyber security industry. Organisations approach issues reluctantly, creating measures that seem adequate but are in fact only, to borrow from information governance expert Andrea Simmons, “skin deep”.
In her book Once more unto the Breach – Managing information security in an uncertain world, Simmons writes that an organisation’s policies are at the heart of the issue. Too often, they are treated as a collection of specific instructions to counteract various vulnerabilities, when they should be considered as a whole, bringing the organisation’s information security ideas to life.
Treating your policies as a series of connected documents is obviously tricky, because an addition or change to one policy could affect several others. Policy management is therefore an ongoing task that requires continual attention.
However, the benefits far outweigh the negatives. For a start, it could lead to less documentation, with just a handful of policies applying across multiple areas of your business. This makes it easier for your employees to understand and follow the principles you’ve laid out. It also makes it easier to manage and monitor your information security practices, resulting in far greater levels of security.
Risk assessment and review
From time to time, the need for a new policy will no doubt arise. However, having an intricate ‘suite’ of policies means it’s often not as simple as tacking on a new instruction.
New policies, or changes to existing ones, must be risk assessed. This will probably affect users, business processes and technologies, and will need to be documented. You will also need to seek input from legal professionals and relevant departments.
Learn more about policy management
The advice in this blog is based on an excerpt from our September book of the month: Once more unto the Breach – Managing information security in an uncertain world by Andrea Simmons.
Drawing on her extensive experience as an information governance specialist, Simmons provides essential advice for anyone who wants to learn more about information security management. Her guide covers:
- How to pull a team together and kick-start your project;
- The key activities you should be spearheading to ensure your organisation is secure;
- How to ensure compliance runs throughout the whole organisation, including ideas to keep it alive;
- Physical security issues that can cause you difficulties; and
- The scope of activities expected from you.