Cyber security, being one of the most discussed subject of 2017, due to the many large scale attacks that took place, is a very a complex subjects which often times feels just like a burden and an overhead to organisations.
Given what happened and the associated risks, organisations and execs cannot ignore this threat anymore and have to take actions.
The first action to take should be reviewing their Information Governance Policy.
“Information Governance is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuations, creation, storage, use archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” (Logan, 2010)
IG Policy needs to keep into account Law and Regulations, according to the jurisdiction and the company operating industry (e.g. FACTA, GDPR, Data Protection, Serbanes-Oxley, etc).
Information Governance consisting of the overarching policies, includes IT Security and its policies as well. Information security should preserve confidentiality, integrity and availability of information (CIAD Triad).
There are several recommended framework and best practices that can be used, such as IGRM, ARMA IG Model and COBIT5.
It is also recommended to read industry standard documentation such as:
- ISO27001 – 2013: Information security management system.
- ISO27003 – Implementation guidance
- ISO27014 – Governance of Information Security
A good Information Governance policy should include:
- Aims and scope – to who it applies
- Objectives
- Roles and responsibilities
- Clearly state consequences of contravention
- Signed approval and a date
Furthermore a policy should be easy to read, avoid any ambiguity, addressing key points and communicate authority.
Each policy should also be reviewed on yearly basis at least.
If you google IG policy, plenty of them can be downloaded from different industry, private and public. It will shock you to see how some of them looks clearly as copy paste exercise, where somebody was told to produce a policy document for the sake of ticking a box. It must be just a coincidence that such organisations were also victims of the most vicious hacker attacks.
So my advice is to start from the foundations, before investing large amount of money into expensive IT security kit and consultancy services, by reviewing your own policies and making sure they do make sense and somebody is (really) taking ownership of them.