The three examples below show how information security can be integrated into a strategic organization plan;
1. Form an Information Security Team – The first step in information security is determining who should have a seat at the table. The organization must accept ultimate responsibility for security rather than simply delegating it to a chief information security officer (CISO) or equivalent role (Fitzgerald, 2007). The executive team made up of senior-level associates responsible for crafting the mission and goals of the security program, setting security policies, risk limitations, and more sits on one side of the table. On the other side of the table is a group of people in charge of daily security operations. This group, as a whole, designs and constructs the security program’s framework.
2. 2. Inventory and Manage Assets – The security team’s first task is to determine which assets exist, where those assets are located, ensure the assets are tracked, and properly secure them. In other words, it’s time to take stock of everything that could contain sensitive data, from hardware and devices to applications (both internally and third-party developed) to databases, shared folders, and so on. Once you’ve compiled your list, assign each asset an owner and categorize them based on their importance and value to your organization in the event of a breach. This section corresponds to the requirements outlined in the Personal Data Protection Regulation (EU) 2016/679, which requires an organization to identify and manage filing systems containing personal information.
3. Assess Risk – In order to assess risk, we must consider threats and vulnerabilities. Fortunately, the cost to fix a problem is almost always a fraction of a percent of the size of what is being risked (Hubbard, 2020). We must begin by compiling a list of any potential threats to your organization’s assets, then rank these threats according to their likelihood and impact. Following that, we must consider what vulnerabilities exist within our organization, categorize, and rank them based on their potential impact. People (employees, clients, third parties), processes (or lack thereof), and technologies in place can all be considered vulnerabilities.
They are important because they assist organizations in dealing with risk and averting major problems that may arise. The company has defined and implemented a management system for asset management, risk assessment, and the execution of a systematic approach to information security management. The risk of information loss or unauthorized access is reduced. People assigned to information security roles’ awareness and competencies are being developed. The organization complies with regulatory requirements, including the Personal Data Protection Regulation (EU) 2016/679. Information systems in organizations must be proactive in nature. They should be able to anticipate changes in user information needs and adapt their services to meet those needs. An information system for business is designed to meet the information needs of business decision-makers. The availability of financial and human resources for the specific company enterprise must be considered when developing business information systems.
Hubbard, D. W. (2020). The failure of risk management: Why it’s broken and how to fix it. John Wiley & Sons.
Fitzgerald, T. (2007). Clarifying the roles of information security: 13 questions the CEO, CIO, and CISO must ask each other. Information Systems Security, 16(5), 257-263.