Home > Secrets
Secrets of managing information security
Here are nine secrets to managing information security - proven approaches
which we and our clients have used to build and apply effective information
security management systems.
1. Keep it simple!
Although information security is a complex subject, the system that you
implement needs to be straightforward and uncomplicated, otherwise it will
be difficult to manage and staff will find it difficult to use.
Don't try to build the system all in one go. Start by defining and documenting
the most critical information security controls, as identified by a Risk
Assessment, and get those working. Continually check that these controls
are effective (e.g. through measurement and audit) in parallel with building
the remainder of the system.
2. Start with a Risk Assessment, rather
than Best Practice documentation
There is plenty of best practice documentation available from which you
can develop generic information security policies and procedures. In particular,
ISO 27002, the Code of Practice which accompanies the ISO 27001 standard
contains more than a hundred pages of detailed guidance.
Rather than getting bogged down in the guidance material, start by conducting
a Risk Assessment. You will have to do this anyway - all the Standards (e.g.
ISO 27001, Government Security Policy Framework, PCI DSS) require it - and
the advantage of starting with the Risk Assessment is that it will identify
the specific security problems within your organisation and the controls
which are needed to address those problems.
Having done the Risk Assessment you can then refer to the best practice
material as a potential source of solutions to the problems which the Risk
Assessment has identified.
3. Gain and show management commitment
Implementing an information security management system is likely to require
some changes in behaviour for all staff. For example, new rules and ways
of working may appear onerous to staff. Some investment may be needed in
people's time, and probably technology.
To achieve that change in behaviour leadership is needed from the top -
by Board members and other senior managers continuously demonstrating their
commitment to the changes.
Top managers and directors also need to set an example by making sure that
they abide by the security rules themselves!
4. Keep the policies and procedures concise!
The Management System needs to be easy-to-use, for obvious reasons. So the
policies and procedures which it contains should be concise, definitive,
specific and to the point.
Avoid the use of vague statements such as 'where appropriate', 'as far as
possible' and use of words like 'should'.
If you follow the advice in our secret 'start with a Risk Assessment, rather
than Best Practice documentation' this problem takes care of itself.
Inevitably, the best practice documentation is generic and non-specific.
This must be customised for each organisation. If you design your system
based on a Risk Assessment, then this problem solves itself, because the
risk assessment will identify the problems you are trying to solve and the
solutions which need to be documented within your policies and procedures.
5. Gain staff engagement
Security management depends on people. The vast majority of security breaches
are caused by people, rather than technology. So it is crucial to gain the
engagement of all staff within the organisation. The ultimate aim must be
that security becomes part of the organisation's culture - ingrained in
the way in which people work.
A programme is needed to raise awareness of information security and its
importance. Consider appointing ‘champions’ within each business function
and use them to emphasise the importance of security, gain buy-in from staff
and escalate issues to senior management as necessary.
The key question to be answered is ‘why?’ Staff generally expect to be told
the reasons they have to work in a particular way. Use the results of the
risk assessment to provide the answers.
6. Put metrics in place
The adage "If you can't measure it, you can't manage it" applies to information
security. In the same way that metrics can be put in place to measure financial
performance, customer service, product quality etc, they should also be
established to measure whether information security is being managed effectively.
The risk assessment identifies the most critical security risks, together
with the controls designed to mitigate those risks. A measure, or metric,
should be introduced for each in order to determine whether those controls
are effective. These should be reported regularly (weekly, monthly) so that
you have visibility of how the management system is working and, as a consequence,
information security can be actively managed - enabling you to identify
and deal with any problem before it results in a serious security breach.
7. Get certification
ISO 27001 is the international standard for information security management
and many organisations have adopted it.
There are considerable benefits in taking that extra step to obtain certification
against the standard - by inviting a certification body, such as BSI, LRQA,
Bureau Veritas etc, to assess the system periodically, confirm that it complies
with the standard and issue a certificate accordingly.
As well as providing assurance to customers that the information security
management system meets the requirements of the standard, certification
also provides assurance to other stakeholders (staff, shareholders, suppliers)
that information security is under good control.
If an organisation has decided to comply with ISO 27001, then the marginal
costs of gaining certification are not significant, and the benefits are
8. Get the improvement cycle working as
early as possible
The ISO 27001 standard is based on the Plan-Do-Check-Act (PDCA) cycle. This
was originally pioneered by the American quality management guru, W Edwards
Deming, and is now incorporated in all the main international standards
(ISO 9001, ISO 27001, ISO 14001 etc).
It can be interpreted as follows:
- Plan: develop policies and procedures
- Do: operate the system; apply the policies and procedures
- Check: verify whether the policies and procedures are being applied
and are effective
- Act: review the results and apply corrective/preventive action
Many management systems projects tend to get stuck in the planning stage.
The development work takes longer than expected, and many procedures don't
get beyond the ‘draft’ stage. And because the system isn't complete it doesn't
get used. Procedures become out of date, and we're back at square one.
The secret is to concentrate first on those parts of the system which deliver
the greatest benefit. The information security Risk Assessment will tell us
what these are. Those should be developed first, implemented and metrics/measures
introduced to check whether they are effective - and corrective action taken
Once the cycle is working, people will appreciate its value and the remaining
components of the system can be added in progressively.
9. Make sure responsibilities are clear
How do you decide who is responsible for information security?
Everyone is responsible for information security in the sense that all members
of the organisation have a duty and responsibility for protecting the information
that they are working with; and individual line managers are accountable for
the actions of those who report to them. So ultimately the Chief Executive
holds responsibility for information security with the organisation.
The way to delegate responsibility for how
security is to be managed
(what controls need to be implemented) is through the owners of the various
information assets. For example, building security (registration of visitors,
identity badges to be worn, use of CCTV etc) should be the responsibility
of the owner of the building assets, typically the Facilities Manager. Protection
of hardware (e.g. laptop PCs) should be the responsibility of the IT Manager
as the owner of IT-related assets. However decisions about what data can be
stored on the laptop, and the data's protection, should be made by the data
owner i.e. a business representative.
Part of the risk assessment process is to identify the information assets
and to assign ownership so that responsibility for determining the controls
to mitigate all the risks can be clearly identified. Finally, the organisation
should appoint an overall Information Security manager to take responsibility
for integrating all the various controls into a management system.
© Pondergrove Ltdo -o
all rights reserved