Implementing an information security strategy for your organization is a project in itself. Security frameworks help you get started. It is advised to familiarize yourself with some points for attention of the use of those frameworks in advance. That will help you make the right considerations. In this article we will list it for you.
Preface
It is arguably any company’s worst nightmare: hackers stealing your customer data, shutting down your online services or taking your critical IT systems and data hostage. That is not an unjustified fear. In 2020, the Dutch Data Protection Authority received 23,976 reports of data leaks. The number of reports of hacking, malware or phishing incidents has increased by 30% compared to 2019. New reports about cyber-attacks appear in the news every week.
Fortunately, anyone who wants to defend themselves against such attacks does not have to reinvent the wheel. Existing security frameworks such as ISO 27001 and the NIST Cybersecurity Framework can help you shape an information security strategy.
Risk management
Information security is about managing risks. To develop an information security policy, you first map out which information company assets are present in your organization, in physical or digital form. What information is critical to business operations? How are they secured?
You then use a risk analysis to determine which threats endanger the confidentiality, integrity or availability of that information. Where are the greatest vulnerabilities? What are the risks? Are those risks acceptable, or do you want to reduce them further?
The next step is to take appropriate measures to protect your information where necessary. Information security frameworks come in handy here. These contain a whole toolbox of measures based on best practices. You do not have to limit yourself to a single framework. You can also combine best practices from different frameworks.
Investments
If you want to implement and maintain measures, you must be prepared to invest time and money. Not only in the beginning, but also afterwards. The required budget obviously depends on the risk. Which things can you invest in?
- Developing, implementing or adjusting, executing and monitoring processes and procedures, including
- Control of changes
- Monitoring of new threats and risks.
- The training of employees.
- Purchase, commissioning, use and maintenance of technical measures, such as
- Intrusion detection system that detects suspicious traffic in your corporate network
- Web application firewall that blocks suspicious traffic to and from your corporate network
- External audits and testing, such as
- Penetration test on information systems
- Certifying audit, for example, against the standards of ISO 27001 (more about this below).
Structured and standardized processes based on best practices
If you are going to implement a security framework in your organization, you will have to adjust existing procedures and processes. You expand this with extra steps and checks to adequately protect your information. New procedures and processes may need to be implemented, such as periodic audits of the safety of your systems. You do this according to the best practices that the security framework offers you.
This requires a structured and repeatable way of working. You may still need to make improvements in that area. You may still need to document your existing procedures. Or introduce checklists, so that all steps in a work process are always followed.
As said: this requires the necessary investments. And it results in more and more extensive procedures and processes. But also to a general quality improvement of the procedures and processes within your organization.
The right expertise
Information security is a field in itself. And it is a broad field. Extensive knowledge of and experience with governance, risk management, security programs in IT, HR and building protection, and incident management is necessary for a thorough and adequate protection of the important information.
Start with the design and implementation of the framework only when all the necessary knowledge is on board. First determine what knowledge is required and what your organization already has in house. If certain knowledge is missing, training or education can help close that knowledge gap. Or you can hire an expert, temporarily or otherwise.
In addition, good training of all employees involved is important. If employees do not see the benefits of information security for the organization, but only the negative consequences for their own work, they can resist to the extra work. Or they look for ways to “work around it”. A security framework also provides tools for training your colleagues.
Demonstrate that your organization takes information security seriously
A nice advantage of applying a standard security framework is that it gives others a good idea of how your organization deals with information security. After all, this is described in the specification of the standard, which is generally available.
If you use a reputable framework such as ISO 27001, then this is a good indication to (potential) customers, partners and regulators that your organization takes information security seriously. That gives confidence, especially if you can support it with a certification.
No guarantees
Finally, a disclaimer for using security frameworks. A framework provides good tools to manage security risks. However, it does not guarantee that security incidents can no longer occur.
Information security is an ongoing effort, requiring you to anticipate and respond to current developments that may pose a threat. You may need to make policy or technical changes to adapt to the new situation. In that sense, your information security is never “finished” and requires constant attention.
Curious how to implement a security framework in your organization? INTERMEDIATE can help. With our substantive knowledge, we find the right professional who can guide and support your organization. Interested? Please contact us: intermediate.pro/contact
This blog was written by Teun Tonino.
