2 Security awareness
Purpose: To consistently inform all users regarding the impact their actions have on security and privacy.
Introduction: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing relevant security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some actions that can be taken to reduce the risk and drive down the cost of security incidents.
We would then start naming specific bullet points that we want to include. For example:
- A monthly security awareness newsletter will be sent to all employees, covering the latest threats, including ransomware attacks and social engineering.
- Online or in person security awareness training will be put in place and monitored to assure all employees participate.
- Continue with relevant bullet points. This is where we cover all the typical scenarios that we are likely to encounter and it's a long list to say the least. Remember to keep it high level in a policy, save those specific server name details, etc. for the procedures that fall under a given policy.
3 Information security
Purpose: To lay the foundation for the enterprise data risk management program; People, process and technology.
General: The information security policy might look something like this. Its purpose is to define the management, personnel and technology structure of the program. The most important part of this policy is "Who is the single point of contact responsible for information security" Is it an IT manager, or a security analyst, or do you need to appoint someone?
A. Role of Information and Information Systems
C. Environment and Scope
D. Organization and Employee Roles and Responsibilities
- System Access Control
- Information Access
- User-IDs and Passwords
- User-ID Issuance for Access to corporate Information
- Anonymous User-IDs
- Password Policy
Continue with relevant bullet points. Add social engineering, Phishing, Spear phishing, advanced persistent threats, SPAM, and so on.
4 DR/BCP (Disaster Recovery, Business Continuity plan)
Purpose: To assure that the business has DR/BCP plans that are accurate and tested.
A DR/BCP plan helps manage real-time risk. It includes everything from responding to denial-of-service attacks, floods, fires, hurricanes or any other potential disruption of service. Business continuity seeks to keep the business running no matter what and thus includes redundant systems and personnel plans to assure the business stays up and running.
Disaster recovery as the name implies is used as a plan to recover from events like floods, fires or hurricanes that caused an interruption in service, IE: You lost business continuity. DR/BCP plans must always involve the business units when creating, planning or testing. Each critical department or business function must know their role in the recovery strategy. IE: Is work from home included? In the case of a major hurricane, have you considered that personnel have families that may need assistance on the home front before the employee can do their part for the enterprise? IE: In a life threatening situation like a hurricane, families must take care of their families before they can take care of their company.
Sign up for CIO Asia eNewsletters.