Returning to the main point, what are the key challenges for an organisation that needs and wants to treat its data securely? Socitm’s Performance Management Group has come up with the following top 10 tips:
1. Ensure you understand which legislation affects your business area. The list grows all the time, and while much of it is targeted at the public sector, private sector shareholders and customers now expect best practice too.
2. Ensure a named individual in the business owns the risk, not ICT. People tend to assume that security is the ICT department’s baby, just because most data these days passes through a computer at some point in its life. The ICT department may own the service delivery aspects of technology and data handling, but the risk ownership is clearly with the business.
3. Ensure there is an effective incident reporting mechanism in place. Awareness raising about incident reporting is proven to improve processes and improve the culture of security in an organisation.
4. Regularly monitor, measure and audit your processes and procedures. It may be a short-cut to instant unpopularity, but this is a commonsense requirement and failure in this will lead to failure overall.
5. Implement a Corporate Information Governance Group (CIGG). Without top level leadership, Information Governance will fail. One key aspect of the CIGG is to oversee all procurement to ensure security is "baked in" from the outset.
6. Ensure all staff are trained, updated and aware of their responsibilities. Security and awareness should be part of the staff induction process – and that includes temps. Team briefings and staff appraisals can also be used to get the message across.
7. Undertake regular risk reviews of all processes and procedures, on at least an annual basis. You should consider joining a WARP (Warning, Advice and Reporting Point).
8. Ensure all key Information assets are classified and are resilient. Classification should include Confidentiality, Integrity, Availability, Liability and Aggregation (this last may need explanation: losing a single record might be impact level 2, losing the entire file could be impact level 4).
9. Have robust, risk-driven processes in place for "ad hoc" situations. Procedures that assume trouble comes neatly packaged will fail when something new comes along. Here too, aggregation is an issue: HMRC probably had a procedure for what to do if a client’s data went missing – but maybe didn’t know how to handle everybody’s data going missing….
10. Have documented policy driven processes and procedures in place. This is the responsibility of the Corporate Governance Group – every organisation should have one.
If having read this far you’re feeling a bit worried, good. The next security disaster could lead to your 15 minutes of fame. Security is not just a matter for the ICT department, but if you don’t raise its profile in your organisation who else will? Put it another way - until everyone else understands that it’s their issue too, you’ll get the blame if something does go wrong. A high-level gap analysis or even just an awareness-raising session for senior management could be all you need to get the ball rolling out of your court.