Top tips to develop an information security programme
Great news! Your organisation’s leadership has agreed to an information security programme. But where should you begin? And when, they ask, will it end?
Your employees spend their days using a mobile or desktop device. They access information using your applications and transfer data across your network. Given that most of the security solutions in the market are focused on device, application and network/infrastructure security, isn’t that a good place to start?
Well, certainly technology has a part to play. But at Catalyst our approach is to initially focus on the information that matters most to us and the people that use it. That’s because we know that users cause 70% of the breaches, and because it’s the information that’s of value to our organisation that any adversaries will be after.
We’ve organised our programme into three distinct work areas:
- Security foundations
- Business process
- Tools and technology
At the moment, as we’re still at the beginning of our journey, much of our work is focusing on security foundations. For us that means governance, policies, awareness/cultural change, data protection and information protection (classification and handling).
Our programme is governed by an information security board, comprised of our leadership team. Below it, we have an information security working group (ISWG) comprised of senior colleagues from across the business. Our ISWG provides feedback, supports decision making and, crucially, provides insight on the activities and needs of the business.
We’re working to get key policies in place that will underpin the work to come. At Catalyst, some policies need to be created from scratch while others need substantial revision and updating.
Awareness and cultural change
To provide us with additional resources to support our in-house communications team, we’ve teamed up with an external communications agency. With their help, we’ve created a clear identity for the programme and are currently delivering a new information security topic each quarter, supported by leaflets, pull-up banners and a presentation for cascade within our teams.
This is another area where we’ve needed external support, this time with a firm of solicitors with extensive experience in data protection. They have helped us review our privacy and data protection policies, and are delivering a programme of training – initially for our frontline workers – that our colleagues are finding not only extremely useful but also great fun.
Information protection is about the way we classify and subsequently handle our information. With the help of our information security working group we’ve agreed a simple classification scheme with just three levels (confidential, restricted and unrestricted). We’re also trialling a classification tool that will enable our employees to immediately classify emails and documents as they create them. Our classification and information handling policies are still a work in progress.
So back to that burning question. When will it end? With our business constantly changing, and threats to information security constantly evolving, our programme can never truly end – though of course many of our security measures will pass into ‘business as usual’. Rather than actually seeking ISO 27001 accreditation, our approach is to align ourselves to the good practice set out by the framework. We expect that the initial journey to take around three years for our programme as a whole.
Head of information security, Catalyst Housing