As well as the remediation costs associated with the loss of data in terms of litigation, penalties and time, the brand damage resulting from an information security failure is estimated at being ten times the tangible monetary cost of the incident. A number of organisations have not dealt with this issue in a credible way in spite of the brand risk and the threat of penalties to their corporate officers.
The following five steps from Barounscourt are a framework for organisations looking to mature their approach to data protection beyond perimeter technologies such as firewalls.
1. Carry out a risk assessment
As always you cannot manage what you cannot measure. A benchmark of the organisational security posture is key.
2. Create an Information Security Forum with executive powers
Security is a cross department issue. A security failure will drag in everyone from Legal, I.T to Marketing. They all have to become owners of this issue.
3. Develop and disseminate a User Awareness Campaign
Having best practice written in an employee handbook is not a credible attempt at data protection. The battle for information security is incessant. No-one in the organisation should be unaware and hence become the weakest link.
4. Determine your security posture balance in relation to business agility and then stick to it
Information Security requires sacrifices to be made in relation to business agility. From remote access to device control, user functionality must take second place to security. Gain executive buy in and stay the distance.
5. Its rarely a technology issue – institutionalise information security via a governance framework such as ISO27001, COBIT, ITIL
Make security part of the fabric of your organisation. Don’t reinvent the wheel but rather adopt methodologies already proven in the industry such as ISO27001,COBIT and ITIL.