Our topic here is not the physical security but cybersecurity or information systems security for executives. This should not come as a surprise that for any organisation securing its digital information assets is as important as the physical security of its assets. For the same reason organisations seeking to secure their executive information assets which comprise key decision making information around competition, investment and financial decisions.
So in most of the organisations, we see security policies and solutions woven around encryption, anti-malware, anti-virus, unauthorised access and threat management for information asset protection. What however is missed is uniformity of security requirements due to various reasons. Those reasons may include factors such as budgetary constraints, incorrect risk management, lack of awareness and education etc. What executives need to understand is their spending on security solutions for their privileged information assets is not sufficient. Their organisation as a whole should follow uniform security policy implementation and procedures. Here we discuss seven important considerations and policies for effective executive security solutions.
1. Weakest lint first-secure it.
A hacker is not searching for the most secure asset in your target’s information assets and network, but the most vulnerable asset. Hence it will not be the workstation of an executive, but that of an employee at risk of being compromised or a device which would be least bothered about by risk analysis. Hence every device, every asset and every entity accessing your information and connecting to your network is important, secure them all and secure them as they are all one and same.
2. Include your partners, suppliers and customers
A comprehensive security policy cannot avoid other parties who connect with the network and access information. Secure your gateways and communication channels. These channels include your software systems, websites, email, network and physical facilities. Include your partners, suppliers and customers when you are creating security policies and procedures. They would be using your information resources, and hence they are an equal stakeholder in your security realm.
3. Build uniform policies and procedures
As we are learning that whatever and whoever is using the information system can potentially be compromised, our security policies should be uniform. It is a one for all and all for one scenario, treat everyone equally when it comes to security, secure everyone equally and create policies and procedures which are uniform and applicable to the organisation. Access to information and information assets should be authorised based on roles and responsibilities. Build your baseline and then proceed to give your resources access and rights over information.
4. Educate your people
Education is necessary if you want your policies to be followed. Therefore, spend time and create effective communication channels in the organisation through which people can be educated. It is different to educate rather than to train; education helps create awareness, responsibility and commitment.
5. Manage risk
Risk management is a key executive function. It is necessary to analyse, understand, weight, mitigate or accept the risk. Security policies are not complete without risk management as risk management decisions are the driver for security policy and procedure development.
6. Follow standards
Rule of thumb, seek help when needed. Information security is a field which requires experience, knowledge and skills to manage challenges, changes and updates. It is also a highly standardised field and security standards are built by expert public and private institutions. Information security has the very high stake and hence governments and enterprise consortiums, research institutes and think tanks contribute to develop and evolve standards to meet technological advances, threats, risk mitigation and governance requirements. Moreover, there are industry-specific security and governance standards such as HIPPA (http://www.hhs.gov/hipaa ), PCI DSS( https://www.pcisecuritystandards.org), ISO 27001 (http://www.iso.org/iso/iso27001) and methodologies and frameworks like COBIT (http://www.isaca.org/Cobit/pages/default.aspx ). It is therefore wise to seek expert advice and experience to meet industry-specific security requirements and create risk management, security and governance frameworks.
7. Learn and improve
Organisations move on, they grow, they change and so the security solutions, policies and procedure should also evolve with the organisation. Technological advances, lessons learned, failures and success they all provide opportunities to improve. And so the organisation should be flexible to adopt change and continuously improve and adjust its risk management and security policies and practices.
By following these key security planning considerations, a security solution can be implemented that is applicable to the organisation of any size, from small and medium to large enterprises. These guidelines are important for executives to consider for understanding the demands of securing their information assets and competitive advantage. We will be discussing these and other information security concepts in upcoming blogs and further explore the ideas and standards.