Prioritizing Information Security at Work
Between drumming up new business, completing the work you have in house and managing the people who work for you, there is not much time left in the day to plan a marketing strategy or create your latest blog entry, let alone evaluate your information security needs. But a secure computing enterprise is important to the long-term health of your organization, and setting up a security governance structure can help ensure information security gets the attention it needs.
Security governance is a rather ominous sounding concept that can make watching paint dry sound like a dynamic experience. Yet installing a governance structure behind information security can help transform a painful project into an efficient routine. Governance plans outline who is responsible for information security, how security matters are addressed, and what policies and procedures will be used to maintain a secure environment.
When you kick off security governance planning, the first thing to evaluate is any information security requirements that you are obligated to adhere to. For example, are you collecting credit card information or doing business with a federally regulated financial institution? If so, your company is already subject to an array of information security requirements that you must comply with.
Having established the bare minimum of requirements for external compliance needs, you should then evaluate your own corporate risks and objectives. Are you creating the next Facebook with requirements for strict control over documents and code, or are you just trying to run a social media advisory firm with little to no confidential information? Your own internal security objectives may or may not exceed the external requirements placed on your organization.
Once you are familiar with both the external and internal security parameters, you should define who is responsible for tracking the execution of the security policy. This person is sometimes called a chief information security officer or infosec manager.
For smaller firms, the work involved will likely not require a new full-time hire. The work can be handed to a controller, chief operating officer or other trusted senior leader. This person must be persistent and consistent in their execution of objectives. Your infosec manager will also be responsible for creating (or hiring a consultant to create) the appropriate policies and procedures that will ensure your firm is adhering to good security practices, monitoring its security status and making the employees cognizant of the organization’s information security objectives.
Your official information security policies and procedures should:
- Identify and inventory all confidential information
- Grant and remove access to and from employees and contractors
- Outline standard configurations for laptops, workstations and servers
- Explain desired password complexity and other policies
- Describe encryption policies
- Dictate employee education and training requirements
- Integrate security measures into software development processes (to the extent you have them)
- Explain application, operating system, and authentication login requirements
- Outline physical security requirements and procedures associated with accessing any computer hardware that has confidential data
- Propose options for the disposal of old computer and office hardware (copy machines are historically a major risk)
- Provide a framework for wireless network configurations and security requirements
- Allow for secure remote access
To ensure that information security efforts are consistently addressed, it can be helpful to set up a repeated (monthly or quarterly) written report requirement that lands on the desk of the infosec manager and makes its way to senior management.