Securing information is far from being a technical issue for an organisation. In fact, technical operations are just one aspect of a process which, to be successful, must include all of the company’s activities as a whole.
Before implementing technical procedures and measures aimed at improving an organisation’s security, it is important to first conduct a risk analysis (risk management) and to write up a security policy.
The security policy formalises and coordinates all of the organisation’s security techniques and organisational procedures.
Writing up a security policy is a lengthy task. We do not advise that small companies tackle it all in one go. It is better to make gradual progress through continuous improvement, creating a document that is both short and concise, to progressively develop the procedures and sectoral policies that are most needed.
The governing principle when drafting a security policy consists of, on the one hand, a set of best practices (ISO/IEC 27001 and ISO/IEC 27002) and, on the other hand, risk analysis and assessment. All organisations should ensure they implement behavioural, organisational, and technical measures where they can be quickly and truly effective.
In any case, you should choose an approach that is best suited to the size, and especially the criticality of assets, and the maturity of the organisation.
The definition and application of a security charter is the first step towards security management. To guarantee its success, it must meet the specific security requirements for the organisation. A risk analysis, even a brief one, must precede this process. Without this analysis, the management will not be in a position to determine which assets should be protected as a priority. In order to be able to predict the worst possible outcome, the management must identify the most likely threats and vulnerabilities which are the easiest to exploit.
The introduction of a charter must imperatively be accompanied by a presentation to the employees who will have to implement the suggested measures on a daily basis. Without this training, there is a risk that the charter will be ignored and will, therefore, become useless.
Once the major risks for the organisation have been identified (risk management), the management will, with a view to continuous improvement, be able to go beyond a simple security charter. They will introduce an actual policy, as well as specific procedures.
With the introduction of even a rudimentary security policy, the management will be able to begin organising security. The security policy will define in the formal procedures, the obligations and responsibilities of each individual, as well as the processes related to the security of information.
At this stage, there is no point in compiling an exhaustive security policy. Making an organisation secure is an ongoing process (Design, Implementation, Assessment/Checks and Improvement), and it is implemented according to security measures, assessed based on the worst possible outcomes, the most likely threats and the largest vulnerabilities.
This first step aims to correctly determine the scope and context of the future system. It must also be able to identify and assess the risks, to develop a management plan. (It cannot, however, replace the risk analysis which must be carried out in advance.)
The implementation stage primarily consists of applying the security policy created in the previous stage. Organisational and technical measures are implemented and behavioural measures are applied by the staff.
The assessment systems must have been set out in the security manual. The aim is to ensure that the procedures put in place work as intended.
These assessments can take several different forms:
If the assessments and checks uncover inadequacies in certain procedures, measures must be taken to correct them.
The actions that were decided upon in the previous step will have to be implemented, either:
The security policy should contain the following documents: