Today’s business leaders face many challenges and rapid changes with respect to information and cyber security. When one considers the wide range of vulnerabilities – ranging from threats, malicious intruders, and thieves to disgruntled employees and industrial espionage – managers and business owners need to make sure they have an information security plan that enables their organizations to detect, prevent, and address security incidents in a timely and effective manner.
A clear and concise information security plan allows management and employees to see where they are expected to go, focus their efforts in the right direction, and know when they have accomplished their goals. Unfortunately, plenty of organizations lack an information security plan, or at least one that is up-to-date. Some even claim to have a plan but really don’t. As a result, there’s a lack of focus and inconsistency in the actions taken across the organization, not to mention a greater likelihood of something bad happening. If organizations continue to view information security planning as impractical or unnecessary, then they are less likely to effectively manage information and cyber security risks.
What should be Included in an Information Security Plan?
An information security plan can position an organization to mitigate, transfer, accept, or avoid information risk related to people, processes, and technologies. A well-designed plan also helps the organization adequately protect the confidentiality, integrity, and availability of information. The business benefits derived from an effective information security plan are significant and can offer a competitive advantage. These may include complying with industry standards, avoiding a damaging security incident, sustaining the reputation of the business, and supporting the commitment to ownership, customers, partners, and suppliers.
A comprehensive information security plan takes a holistic look at key people, processes, and technologies and ensures potential vulnerabilities could be detected and addressed in a timely manner. Industry experts have identified the following 10 areas that need to be addressed within an effective information security plan:
- Key business processes – Clear understanding and documentation of business critical processes and potential information and cyber security implications in case such processes are disrupted or jeopardized.
- Identification of critical data – What are the organization’s highly sensitive and confidential data elements, where are they stored, who has access rights, and how is the data secured?
- New technology initiatives – Anytime a new technology project such as a new phone system or a new server rollout is being planned, consider and plan for the security implications of such projects.
- Cloud computing services – As the trend continues toward shifting applications onto the cloud, be aware of each vendor’s cloud security environment and how your information is being managed and backed up, and how it will be restored, if needed.
- Internal threat considerations – Recent studies have identified employees as the main source of information security breaches within organizations. An effective information security plan should establish policies and procedures for the proper use of systems and provide ongoing employee training and validation processes.
- Personal and mobile computing devices – Bring Your Own Device (BYOD) policies are becoming increasingly popular in mid-market organizations, however, there need to be rather strict policies, procedures, and control software protocols in place to minimize the risks associated with use of such devices.
- Legacy system issues – Many organizations are still using core business systems dating back 20-30 years. Such systems, which often hold vast amounts of organizational knowledge, were designed prior to widespread use of the Internet. As such, many have significant information security vulnerabilities associated with their core architecture. Management needs to devise effective information security policies to best safeguard all data assets embedded in such systems. And although upgrading these systems if considered a major initiative in many instances, it will nevertheless have a significant impact on improving your organization’s information security posture.
- Collaboration and remote access applications – Many users are accustomed to leveraging file sharing applications and accessing their systems remotely via technologies such as remote desktop and VPN. Management should have strict policies and guidelines for using internal and/or externally-hosted file sharing and collaboration applications and also have the proper information security mechanisms enabled from both design and validation perspectives for all remote access arrangements.
- Monitoring and validation – Even with the most comprehensive information security plans and procedures, it’s important to conduct periodic vulnerability assessments to identify potential weaknesses and utilize penetration testing practices to validate information security capabilities.
- Risk management approach – Every organization has a unique approach toward managing risks. Organizations with a lower emphasis on risk management are higher probability targets for today’s sophisticated information thieves and cyber criminals. So make sure your information security plan includes risk management tactics that work for your business and keep you protected.
Sassan S. Hejazi can be reached at shejazi@kmco.com or 215.441.4600.
You may also like: