Keep it simple!
Although information security is a complex subject, the system that you implement needs to be straightforward and uncomplicated, otherwise it will be difficult to manage and staff will find it difficult to use.
Don’t try to build the system all in one go. Start by defining and documenting the most critical information security controls, as identified by a Risk Assessment, and get those working. Continually check that these controls are effective (e.g. through measurement and audit) in parallel with building the remainder of the system.
Start with a Risk Assessment, rather than Best Practice documentation
There is plenty of best practice documentation available from which you can develop generic information security policies and procedures. In particular, ISO 27002, the Code of Practice which accompanies the ISO 27001 standard contains more than a hundred pages of detailed guidance.
Rather than getting bogged down in the guidance material, start by conducting a Risk Assessment. You will have to do this anyway – all the Standards (e.g. ISO 27001, Government Security Policy Framework, PCI DSS) require it – and the advantage of starting with the Risk Assessment is that it will identify the specific security problems within your organisation and the controls which are needed to address those problems.
Having done the Risk Assessment you can then refer to the best practice material as a potential source of solutions to the problems which the Risk Assessment has identified.
Gain, and show, management commitment
Implementing an information security management system is likely to require some changes in behaviour for all staff. For example, new rules and ways of working may appear onerous to staff. Some investment may be needed in people’s time, and probably technology.
To achieve that change in behaviour leadership is needed from the top – by Board members and other senior managers continuously demonstrating their commitment to the changes.
Top managers and directors also need to set an example by making sure that they abide by the security rules themselves!
Keep the policies and procedures concise!
The Management System needs to be easy-to-use, for obvious reasons. So the policies and procedures which it contains should be concise, definitive, specific and to the point.
Avoid the use of vague statements such as ‘where appropriate’, ‘as far as possible’ and use of words like ‘should’.
If you follow the advice in our secret ‘start with a Risk Assessment, rather than Best Practice documentation’ this problem takes care of itself.
Inevitably, the best practice documentation is generic and non-specific. This must be customised for each organisation. If you design your system based on a Risk Assessment, then this problem solves itself, because the risk assessment will identify the problems you are trying to solve and the solutions which need to be documented within your policies and procedures.
Gain staff engagement
Security management depends on people. The vast majority of security breaches are caused by people, rather than technology. So it is crucial to gain the engagement of all staff within the organisation. The ultimate aim must be that security becomes part of the organisation’s culture – ingrained in the way in which people work.
A programme is needed to raise awareness of information security and its importance. Consider appointing ‘champions’ within each business function and use them to emphasise the importance of security, gain buy-in from staff and escalate issues to senior management as necessary.
The key question to be answered is ‘why?’ Staff generally expect to be told the reasons they have to work in a particular way. Use the results of the risk assessment to provide the answers.
Put metrics in place
The adage “If you can’t measure it, you can’t manage it” applies to information security. In the same way that metrics can be put in place to measure financial performance, customer service, product quality etc, they should also be established to measure whether information security is being managed effectively.
The risk assessment identifies the most critical security risks, together with the controls designed to mitigate those risks. A measure, or metric, should be introduced for each in order to determine whether those controls are effective. These should be reported regularly (weekly, monthly) so that you have visibility of how the management system is working and, as a consequence, information security can be actively managed – enabling you to identify and deal with any problem before it results in a serious security breach.
ISO 27001 is the international standard for information security management and many organisations have adopted it.
There are considerable benefits in taking that extra step to obtain certification against the standard – by inviting a certification body, such as BSI, LRQA, Bureau Veritas etc, to assess the system periodically, confirm that it complies with the standard and issue a certificate accordingly.
As well as providing assurance to customers that the information security management system meets the requirements of the standard, certification also provides assurance to other stakeholders (staff, shareholders, suppliers) that information security is under good control.
If an organisation has decided to comply with ISO 27001, then the marginal costs of gaining certification are not significant, and the benefits are considerable!
Get the improvement cycle working as early as possible
The ISO 27001 standard is based on the Plan-Do-Check-Act (PDCA) cycle. This was originally pioneered by the American quality management guru, W Edwards Deming, and is now incorporated in all the main international standards (ISO 9001, ISO 27001, ISO 14001 etc).
It can be interpreted as follows:
- Plan: develop policies and procedures
- Do: operate the system; apply the policies and procedures
- Check: verify whether the policies and procedures are being applied and are effective
- Act: review the results and apply corrective/preventive action as appropriate.
Many management systems projects tend to get stuck in the planning stage. The development work takes longer than expected, and many procedures don’t get beyond the ‘draft’ stage. And because the system isn’t complete it doesn’t get used. Procedures become out of date, and we’re back at square one.
The secret is to concentrate first on those parts of the system which deliver the greatest benefit. The information security Risk Assessment will tell us what these are. Those should be developed first, implemented and metrics/measures introduced to check whether they are effective – and corrective action taken if necessary.
Once the cycle is working, people will appreciate its value and the remaining components of the system can be added in progressively.
Make sure responsibilities are clear
How do you decide who is responsible for information security?
Everyone is responsible for information security in the sense that all members of the organisation have a duty and responsibility for protecting the information that they are working with; and individual line managers are accountable for the actions of those who report to them. So ultimately the Chief Executive holds responsibility for information security with the organisation.
The way to delegate responsibility for how security is to be managed (what controls need to be implemented) is through the owners of the various information assets. For example, building security (registration of visitors, identity badges to be worn, use of CCTV etc) should be the responsibility of the owner of the building assets, typically the Facilities Manager. Protection of hardware (e.g. laptop PCs) should be the responsibility of the IT Manager as the owner of IT-related assets. However decisions about what data can be stored on the laptop, and the data’s protection, should be made by the data owner i.e. a business representative.
Part of the risk assessment process is to identify the information assets and to assign ownership so that responsibility for determining the controls to mitigate all the risks can be clearly identified. Finally, the organisation should appoint an overall Information Security manager to take responsibility for integrating all the various controls into a management system.