The 3 Necessary Elements for Effective Information Security Management

Seeing all these really bad information security incidents and privacy breaches, often daily, are so disappointing.  Let’s consider these four in particular.

  1. The Sony hack that seems to continue to get worse as more details are reported.
  2. An ER nurse using the credit cards of patients.
  3. Breaches of Midwest Women’s Healthcare patient records due to poor disposal practices at the Research Hospital.
  4. TD Bank’s outsourced vendor losing two backup tapes containing data about 260,000 of their customers.

And the list could continue for pages.

These incidents, and most others, probably could have been prevented if an effective information security and privacy management program existed that was built around three primary core elements:

  • Risk management
  • Documented information security and privacy policies and procedures
  • Education including regular training and ongoing awareness activities and communications

Risk Management

In each of these cases a risk assessment, that is part of a wider risk management program, would have identified significant risks in each of these four examples. Here is just one example of a risk that could have been mitigated for each corresponding example from above that should have been identified prior to the breach:

  1. Sony would have identified that they had vulnerabilities where remote access occurred into their networks and could have established stronger controls in addition to implementing intrusion detection and prevention systems.
  2. The ER could have implemented digital monitoring for staff in addition to spot audits and background checks to help identify when a staff member was stealing from a patient.
  3. A risk assessment of Research Hospital facility practices would have identified poor disposal of print records.
  4. If TD Bank had established a vendor security and privacy program oversight management program it could have caught any lax practices in the vendor.

Policies and Procedures

In each of these cases having documented policies and procedures, would have established a reference for all workers to see what was expected with regard to effectively and consistently protecting information during the course of normal work activities throughout the enterprise, and would have established the requirements and responsibilities that workers need to know. Here is just one example of a risk that could have been mitigated for each corresponding example from above that should have been identified prior to the breach:

  1. Sony could have established document policies and supporting procedures to NOT allow clear text user IDs and passwords to be stored in digital files. (Why the heck were they doing this horrible high-risk action!?)
  2. The ER could have implemented policies to secure all patient valuables within in-room lockers that staff could not access.
  3. Research Hospital could have had policies and procedures for finely shredding all documents to be disposed that contained confidential information.
  4. TD Bank could have had a policy requiring all backup tapes to be encrypted prior to release to the storage vendor.

 

 

Education

  1. Sony should have provided information security and privacy training to all personnel, and sent regular and frequent reminded to all personnel reminding them to protect all types of mission critical and valuable intellectual property to keep it from being inappropriately released.
  2. The ER should have provided information security and privacy training to all personnel, and sent regular and frequent reminded to all personnel reminding them to protect patient information, to be aware of what others are doing with patient possessions, and how to report suspicious activities.
  3. Research Hospital should have provided secure disposal training to all personnel who dispose of information in any form, and sent regular and frequent reminders to all personnel reminding them to completely destroy any type of media with sensitive information prior to throwing it away.
  4. TD Bank should have ensured their vendors and other outsourced entities provided information security and privacy training to all their personnel, and that they sent regular and frequent reminding them how to secure the information that has been entrusted to them by their clients.

 

 

Bottom line for organizations of all sizes…

In addition to many really huge organizations, I’ve worked with hundreds of small to midsize businesses over the years. I’ve seen a large portion of the small to midsize organizations completely omitting not just one, but two and in many situations all three of these core elements.

Every type of organization, of all sizes, needs to build their information security and privacy program around the three core elements of:

1) Risk management;

2) Policies and procedures; and

3) Education.

 

If they don’t, they are going to leave themselves vulnerable to potential significant and possibly business-killing information security incidents and privacy breaches.

 

 

This post was brought to you by IBM for Midsize Business  (http://goo.gl/t3fgW) and opinions are my own. To read more on this topic, visit  IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

IBM



tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply