Getting started with information security
| Sieuwert van Otterloo |
Many organisations find it challenging to implement a full information security policy, because it affects all departments and many business aspects. The best approach in our view is to just get started, with a small team, interactive workshops and concrete steps. Once the team is up and running, you use continuous improvement to complete your approach, document and implement all relevant aspects. Eventually you can use standards such as ISO 27001 to check your work for completeness.
A team based approach
Information security is challenging because it is a typical example of where the principle of the weakest link applies. Information security consists of strategic, technical, policy and people aspects. You need to address all aspects, because the security level of the organisation is only as high as the security level of the weakest link, and all links are connected. It is not useful to implement staff policies without technical measures. It is also not good to implement technical measures without making people aware of security. Because of this weakest link principle, it is not possible to improve information security with only one, short project. You need a sustained approach, an ongoing effort that is widely supported in the organisation.
Create the right team
The first step in starting with information security is creating a team. You will need a small team that can set up the information security strategy, policies and processes, and is also able to run and manage the system. A team is needed because information security should not be dependent on a single person.
We recommend creating a small team (2-3 people) for small organisations, and a larger team (3-5 people) for larger organisations. Members of the top management team should sponsor the team (e.g. CEO and COO) and explicitly give an assignment. The following roles must be present according to best practices:
- A management representative with IT knowledge (e.g. CIO, IT manager, Chief Information Security Officer) for general policy
- A technical representative with IT knowledge (Infrastructure manager, lead developer / lead engineer) for evaluating and rolling out IT measures based on policy
For smaller organizations, the following roles must be regularly consulted and informed on the general developments in the project. For larger organizations, the following roles can be permanent members of the team:
- Representatives of main departments (e.g. manager sales, operations, consultants, or different countries)
- HR officer, digital privacy officer, Chief Legal officer or other staff officers responsible for processes and policies.
It is necessary for senior people to be involved (so decisions can be made and executed) but at the same time the team should have enough detailed knowledge of how people work in the organisation to make informed decisions.
In the first phase the team should meet frequently (every week or every two weeks) in order to design and implement information security. After the first few months, the team can meet less often. Once per month is a good frequency for many organisations.
Staff involvement and interaction
It is important that the whole organisation is aware of the information security initiative and that they understand why it is important. Every staff member must be willing to follow new guidelines and should take the effort to ask questions and report incidents.
You can actively involve people by making the whole process interactive: every staff member should feel involved in identifying risks, deciding on control measures and implementing security steps. This requires interactive workshops rather than static trainings and formal documents. Our security approach is inspired by agile principles, and we typically use agile workshop techniques (such as these new retrospective techniques [post in Dutch]) to make meetings interactive.
In our experience, support is best reached by facilitating communication and discussion. Create a single channel for people to contact your security team. This can be as simple as an email address. Invite your staff to ask questions, report concrete issues they have in their daily work or report incidents. Always answer single issues by stating what action you have taken, so that your staff sees the added value they provide.
Step three: just get started, take your time and keep focus
The main risk when implementing information security, is trying to do everything at once. There are many security aspects to analyse and control. When doing all at once, it is a lot of work and it is hard to do it well. Information security should not feel like a sprint but more like a long distance journey at a steady pace. Each quarter the most important risks should be reduced. If you manage to make steady progress, you will automatically reach a high level of security.
On a daily basis, your security team might often dive into the nitty gritty, often technical, details. This can lead to long discussions without a solution. For example, in a discussion on network security, there are many technical issues that may arise. After an hour-long discussion, there still is no network security policy.
Try to keep focus and keep the big picture in mind: you are trying to organize information security. Do you have an overview of the networks? Is there an IT policy? What does it state about networks? Create this basis first and then build further on top of that, one step at the time.
Step four: standards and formal compliance
Many organisations start improving information security due to questions and suggestions from external stakeholders: customers or regulators often want to understand what companies are doing to protect personal and sensitive information.
Indeed, for many companies, having sufficient security in place is mandatory due to contracts or regulations. In theory companies have freedom to decide whether or not to use a standard. In practice it is useful to use an existing standard as a guideline becomes it make it easier to demonstrate what security is in place. ISO27001 is a common standard used for this purpose. It is often used because it is an international standard and is the best known standard for organisational information security. We are in favour of reading this standard and other external standards and practices as a source of inspiration and discussion. The actual decisions should however not be based on the standards alone, but on the actual risks and insights from staff.
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.