ISO 27001 Information Security Management provides global standard of information security that has stood the test of time. The problem is that most business managers and entrepreneurs simply do not possess the technical abilities that is required to effectively manage information security risks that now abound in this our information age.
At the end of the day, it is the workers and managers who are the foot soldiers that will ensure that the information assets of organizations are safeguarded. So why try communicate with them in a language that they would not fully understand?
This article on InfoSec strategies in part of a series that I have written on cybersecurity in my little effort to continually contribute towards closing the information security gap. The feedback that I got from readers of my previous writeup on information security management was that it was too technical and not for non-tech managers – I apologies for making certain assumptions.
Today, theme is on InfoSec strategies for non-techie managers. I will be summarizing what needs to be done as far as securing your information assets are concerned in Five (5) simple, yet comprehensive enough headings.
Five (5) Information Security Management Strategies for non-IT Managers
Staff training
the world is not in short supply of tools that can help give us reasonable assurance that our information resources are safe. What we have is a massive pool of people who have no clue of what to do to ensure that they do not fall victim of one cyberTrap or the other.
The number thing that even business owner with online presence should strive for as far as information security management strategies for non-IT managers are concerned is to train, train and train their staff. Remember that humans are always the weakest link in any system. When I talk about training here, I am not talking about some high cost elaborate kind of training.
Simple things as a 30 mins weekly cyber security best practice where a knowledgeable person will give tips on information security best practices like, ‘nitty-gritty of password management’ for example.
Another person may give guidance on the real danger of phishing, pharming, ransomware, etc
Development and enforcement of IT policy
Nothing works from both operational and legal standpoint if ways of doing things are not properly documented. How will that newly recruited staff for example know that s/he is not allowed to use company’s email resources for personal purposes? Yes, one can argue that it is not ethical to use company resources for personal dealings but, hey, where is it written?
The baseline of information security management is the availability of IT security and related policies. This must be your starting point. You can download templates of all kinds of policies this SANs.org list of security policies to choose from and then tweak to suit your business needs. This is where most IT Security professionals get their InfoSec policy templates from.
Adoption of information security standards
It is not that one cannot go it alone but why re-inventing the wheel? There are organizations that have invested thousands into researching and coming up with global information security standards that can easily be adopted as needed. I don’t feel ashamed to recommend works from ISO, ISACA and ISC2.
I understand that the contents of some of the documents coming from these bodies can be cumbersome a times but they are all written in plain different languages that can be read and understood by anybody. ISO27001 and ISACA’s COBIT are my favorites.
Maintain reasonable IT security budget
Every good thing in life comes at a cost. Information security management does not come freely. Some level of investment needs to be made. You need to know when to invest more in your business technology for optimum balance between operationality, security and scalability.
Physical security
Very many companies or businesses still do not get it that physical security still plays a vital role in the overall information security landscape. I was shocked to the bones when I visited an AIS audit site and noticed that the servers of the company are kept in their visitors’ common room without any security personnel there nor any CCTV camera in place.
This does not require having a degree in information security or a CISA certification on order to understand the risk involved here.
If space is an issue for your small business, at least keep your servers in the office of a trusted staff until you can afford suitable space.
Summary and words of encouragement I hope that I haven’t managed to scare anybody away with technical terms in this accounting blog article on information security management strategies for non-IT managers. As promised, I did my best to keep the technical terminologies at bay. Please do go ahead and implement
Leave a Reply