Newsletter

Wybierz interesujące Cię branże:

*Przesłanie formularza jest równoznaczne z akceptacją regulaminu


Main Page


 

 

womanISecMan – Information Security Management

Today, information resources are becoming an increasingly important asset for business, and so is their security. It is not common knowledge, that only 20% of information security breach cases are related to IT, and more than two thirds are caused by human error, brought about by employees. Contrary to what might seem, efficient implementation of a security policy is not simple.

 

 

Why Security Policy?

Information is not only data stored using computer media or paper documents. It also includes phone communications, and employee expertise. Information flow within a business is a foundation of its competitive edge and financial liquidity. Maintaining the competitive edge is also increasingly often related to implementing information services, which act as a way to improve information flow. However, it is important that these services be implemented in such a fashion, that the intended profits do not become losses. That is why information security policy is of such importance. However, this is no easy task. Information security policy must be implemented in such a fashion, that it enables business continuity, minimizes risk, and maximizes business efficiency. However, the more complex IT systems and networks become (i.e. the more connections between public and private networks), the more difficult they are to control. Improper development of information resources leads in consequence to data scattering and decrease in security.


Ineffective Policy – Increased Losses, Decreased Benefits

In order to protect their business assets, businesses develop information security policies as sets of regulations and procedures, which are intended to help maintain information confidentiality, integrity and availability. This manner is clearly appropriate. However, it becomes much worse, as it is brought to life.
In fact, development of such important documents as information security procedures is often reduced to a single instruction, usually for a single employee: “Develop the information security policy, please
– we need this documentation in order to keep our competitive edge.”
From this point on, a single person is responsible for this highly important task (usually an IT department employee), and to make matters worse, this person usually has close to no experience in creating procedures related to the information security policy. Such a manner of implementing the information security policy may bring about more harm than benefits.
The employee, upon analyzing the task, becomes aware of the vastness and diversity of security policy facets. He or she also becomes aware of his or her lack of expertise in many areas, and starts looking for solutions proposed by third parties. Tempted by quick solutions and adequately low costs, he or she then copies these solutions to the developed document.

The company board believes, that the employee has prepared a detailed and analyzed information security policy, and then accepts it. Then the developed procedures are implemented in the business infrastructure. Information security schemas, which were intended to simplify and stabilize the information flow, are found to be completely unsuited to business processes, which causes them to be abandoned by employees. Information security policies which are implemented in such a fashion, with time become nothing more than useless piles of paper.


Information Security Care

In order to develop an effective information security policy, it is not enough to follow the national standards, which only outline a schema of such a policy. Therefore, it is not enough to:

  • Define the security requirements
  • Assess risks
  • Select optimum safeguards
  • Develop documentation
  • Implement the policy
  • Perform necessary trainings

 

Such an important document should never be treated as a project, which upon being developed may simply be put away on a shelf. It should also never be developed by a single person, but a team supported by independent consultants, who are able to view the structure of an organization in a comprehensive and independent manner. Developing and implementing the information security policy should be an activity that is carefully planned and analyzed in detail, and it should involve all employees, suppliers, customers and stakeholders.

As already mentioned, the information security policy is not just a single project. It involves a number of continuous activities, which should be audited in a regular fashion, verifying the development direction of the implemented policy.

Only such a view of the information security policy will help the business avoid the consequences of the leak or loss of information. Today, negligence in this area is unacceptable, since every activity which involves time constraints and financial constraints leads to undesired business effects.Information security policies should be treated very seriously.

Meeting your needs in this area, the ISecMan Organization invites you to participate in a set of trainings. Our trainings help you gain practical expertise in managing information security (developing and implementing information security policies, contingency plans and emergency procedures). They are designed mainly for upper management, personal data managers and IT staff who design and manage systems storing and processing protected information. All this, so you may gain comprehensive knowledge, which is required to effectively plan and implement business policies related to information security.