The importance of information security for organisations is growing dramatically due to a number of factors. Internet-connected devices — from infrastructure, to cars and home alarms — are becoming increasingly common. At the same time, we are seeing a major increase in IT-related incidents and antagonistic data security breaches. These breaches are committed by both criminal organisations and state-supported agents, which means society as a whole is affected from a security policy perspective.
4C’s 10 recommendations for enhanced information security should be seen as a first step towards a sustainable, long-term strategy to protect and preserve your most important information assets.
1. Start from square one
An initial, overarching risk analysis provides valuable information on threats and vulnerabilities.
2. Draw up an information security policy
Describe the path the company management wishes to take and the long-term aim of the organisation’s information security work in an information security policy.
3. Perform a gap analysis
Perform a gap analysis that forms a decision basis to present for the management, in which flaws and proposals for measures are presented.
4. Get management on board
Without the active participation of management and its understanding for information security work, the work will fail.
5. Analyse the greatest information security risks
Undoubtedly the most important and fundamental activity in information security work is the risk analysis.
6. Identify and classify information assets
In conjunction with the risk analysis, all the organisation’s information assets should be classified based on internal and external requirements for confidentiality, accuracy and accessibility.
7. Review crisis and continuity capability
Identify the most critical parts of the organisation’s operations, find the greatest risks and vulnerabilities, develop crisis and continuity plans and start doing exercises and tests.
8. Create long-term change in the organisation
Long-term and lasting change in information security work demands a cultural change that permeates the entire organisation.
9. Start measuring compliance
Define suitable measurement values, preferably with the help of KPIs, which show the organisation’s progress.
10. Start work on a small scale
Information security can be perceived as diffuse and intangible. To avoid this, it is important to start work on a small scale by adjusting the short-term information security goals to the organisation’s capability.
Want to learn more?
Discover how you can build your IT Continuity and Incident Management capability with our services and Exonaut® software solutions.