In the first instalment of the “getting the facts right” series, I laid out the foundation on the fundamentals of information protection. I must be quick to say that this is a broad and technical area that requires a unified approach and effort among all key stakeholders in an organisation. The expectation is that those that have been charged with the responsibility, the board of directors, are taking the lead.
It is their role to institute information and technology security and everyone’s role to comply. When it comes to protection of information assets it comes down to one simple fact and that is “ensure information security”. But how do we ensure information security? The previous articles laid an excellent foundation and we will extend from there. If you haven’t read, please do.
How do we ensure information security, data security, systems security, application security, software security, technology security? For the purposes of this article we will use the term IT security to incorporate information and the technology supporting it. Generally, IT security best practices irrespective of the framework or standard exhibit more or less the same principles which will be of immense benefit to any organisation. The objective in this article is to explore the basic principles on how to ensure IT security. Let us begin:
- The starting point is to take ownership and manage IT security at a strategic level. Basically, management of IT security should be carried out at the highest organisational level – most statutory or regulatory requirements mandate that this is the responsibility of the board of directors. This is to ensure that the management of information and technology security initiatives is in line with business requirements.
- The board should define an IT security charter. The objective is to mandate a management security function and the charter should tabulate the following:
- Scope and objectives
- Drivers such as risk or compliance.
- The board, executive management in collaboration with line management should direct the IT security policy development process to ensure that the policy is a true reflection of the business, regulatory and statutory requirements.
- Institute the information security organisational structure and their appropriate reporting lines. This function should have sufficient authority to execute the security mandate. Set up appropriate interactions among the key organisation’s control functions (risk management, compliance and audit) with this unit.
- Ensure that IT security is on the board and management agenda. Basically, the organisation should implement IT security management reporting which entails the regular briefing to the board, operations and IT management on IT security issues so that appropriate management actions can be agreed on and necessary approvals instituted and subsequent resolution implemented accordingly.
- Once the board has approved the IT security policy and the security function is in place, then the expectation is that the IT security policy is implemented in the organisation. Please take note that this is a process that may require further explanations and discussions – how to develop an information security policy, how to implement the organisation’s IT policy, how to review the security policy in line with technology trends or regulatory requirement are some of the topics of discussion which will be explored to assist your organisation with IT security.
The actions listed above are a result of several risk or value drivers which the board or executive management would take into account in order to institute information security for their organisations. Risk drivers may include items such as the lack of IT security or its governance, or misalignment of IT with the business strategic objectives or goals, or unprotected information and the technology supporting it.
Value drivers may include items such as protection of critical information and technology assets, IT strategy supporting the business strategy and aligned with the business plan and IT security initiatives implemented are in compliance with applicable laws and regulations, and acceptable IT best practices.
It is advisable that organisation adopt reputable frame works to implement information assets protection programs.