July 30, 2015

Information Security Risk: How Secure Are Your Policies and Procedures?

When was the last time your organization updated its information security policy?

A few months ago? A few years? Never?

An information security policy is a document that explains policies and procedures for protecting physical and information technology assets. While the policy should be concise, user-friendly, and aligned to legislation and regulatory frameworks, it must also be a fluid and evolving document that allows an organization to keep up with trends in information security and changes in the threat landscape.

Close to half – 43% – of companies in the 2014 Second Annual Study on Data Breach Preparedness by Ponemon experienced a data breach in the past year. That was an increase of 10% compared to the previous year.

Here is an information security checklist that puts the spotlight on important security trends.

Schedule regular updates of information security policies and procedures. The world of information security has changed so completely that any policy written more than two years ago is almost certainly irrelevant, commented Geoff Webb of NetIQ in a recent Forbes.com article.

Provide leadership. Appoint an individual (Chief Information Security Officer) and committee to be responsible for managing data security procedures.

Conduct regular risk assessments. A security risk assessment will identify areas that are vulnerable to a breach. For example, at this time, the Internet of Things revolution is significantly increasing security risks.

Focus on mobile device security. The highly mobile workforce is here to stay. According to the Global State of Information Security Survey 2015, 54% of respondents say they have implemented a mobile security strategy, and 47% say they employ mobile-device management or mobile-application management solutions.

Support employee knowledge and understanding. According to the 2015 State of the Endpoint study, three-quarters of IT professionals say their company’s biggest threat consists of employees who aren’t following security policies. Create a culture of security throughout the organization, and provide on-going practical skills training.

Evaluate third-parties. Breaches caused by third parties with trusted network access continue to rise. The Shred-it 2015 Security Tracker showed that 58% of small businesses don’t perform security checks when procuring a third-party vendor. Insist that third parties employ security and privacy safeguards.

Simplify safeguarding procedures. In the Forbes.com article, Kevin Epstein of security solutions provider Proofpoint suggested that when users can click ‘send’ in their email program and have a central policy engine decide if the email needs encryption or violates the privacy policy, “security is less circumvented, more consistent, and thus better”. Other recommendations: continuous monitoring of information systems and automatic access control.

Integrate physical security practices too. One important policy is a shred-all policyall documents are destroyed when no longer needed. Partner with a document shredding company that installs locked consoles in the workplace for documents. Security-trained personnel will collect discarded documents for secure on- or off-site shredding, and a Certificate of Destruction will be issued after every shred.

Schedule hard drive destruction. Ensure that all obsolete technology and equipment (as well as e-media that is no longer needed), is fully destroyed so information cannot be recovered. Speak to your document destruction partner.

Use this Security Risk Pyramid to rate your document security processes. Shredding paper on a predetermined schedule is a best practice.