Information Security in simple lay man terms means keeping the information of an organization secure. In other words, it means having “Processes”, “Policies” and “Procedures” in place to prevent any loss of information. Processes, Policies and Procedures, the 3P’s of information security act as your arsenal in the fight to prevent information leaks.
Loss of information can happen in various ways, like unauthorized access, disruption, recording and reusing. Any loss of information in this digital age is harmful to an organization. It could also mean losses in big numbers. Worse, it could lead to loss of market share! So, it is really important to have strong information security practices. Getting a certification in IT security management is necessary to protect data. A CISSP certification is one of the most sought after IT security skills today.
The pre-requisites for a strong information security practice are to have the 3P’s in place. At the same time having the 3P’s in place just for the sake of it is not a solution. Enough thought has to go into designing the 3P’s that are relevant for an organization. They need not be lengthy and mighty sounding. They just have to be clear and concise enough to be understood and executed by everyone. What use are the 3P’s if they are fancy and not useful?
A policy is a basic principle that acts as a guide in a specific situation. A procedure is a set of steps to follow to ensure that the situation is addressed based on the guidelines in the policy. A procedure augments a policy! In so many ways, getting the policy right makes it easy for all concerned to handle a situation!
Let’s take the instance of a policy on passwords. The policy should clearly mention the limits of creating a password, use of alphanumeric characters, complexity, length and so on. The related procedure then identifies steps for the IT function to ensure this policy is practiced.
What are the important points to consider while making your policies for information security? This is the question that we will answer in this blog post.
Organizations tend to think that tools will help solve problems. It is partially true. There should be a functioning process that can enable the tool to solve the problem. In reality, without a properly defined process, any tool will not help solve a crisis. The tool might only add to the chaos of the crisis.
One of the most important things to do is to build a process first. The second important thing is to buy tools needed based on the process. This sequence will not work the other way round.
A policy should be laid down to enable action in the face of a normal situation or even a crisis. A well thought out policy works like an action plan that can be implemented by anyone or anything. Some organizations use automation. Some others rely on human resources. There are organizations that use a combination of human and automated resources. Irrespective of all these scenarios the policy should work like an action plan. That is the kind of thought that needs to go into policy making.
In the case of information security, more the merrier does not hold good. More involvement of people means more coordination. It also means more effort in ensuring everyone understands the 3P’s exactly the same way. So hiring more people to ensure stronger information security is not a practical solution. What companies should focus on is to get appropriate tools in place once the 3P’s are clearly outlined. A combination of optimal number of human resources clubbed with suitable tools is formidable.
There is no point waiting for a real life crisis or information security breach to happen. Once you have the 3P’s identified and outlined, it is of utmost importance to test your processes. Simulations can help. A simulated process test will help identify and fix leaks. This will go a long way in keeping your information security practices fail-safe.
You might find it surprising that a majority of organizations spend enormous amount of time and effort in outlining the 3P’s but not much in talking about them. Best of the processes and procedures do not work if people do not know about them. Make it a point to communicate and coach your teams about the 3P’s. They should be equipped with all the relevant knowledge when faced with a situation.
When communicating about the processes and policies, it is super important to factor in communication with your customers. Both your internal and external customers should know your processes and policies. You will be surprised how quickly your customers will point out issues that you might miss.
The matrix of people, processes and tools is important for any organization. It is the order in which they come that makes a difference. In the context of information security, processes should be the top most priority. People and tools are enabling mechanisms but not replacements. There is no other way to ensure strong information security measures.