Information Security
Making It Work!
Safeguarding your organisation’s critical data and ensuring compliance with industry regulations are paramount in today’s digital world.
Essential Eight is a perfect starting point in reviewing and improving your core IT systems and processes. However, to create a truly effective Information Security Management System (ISMS), you need to expand your thinking to include three key elements: governance, risk management, and compliance .
Developing an ISMS is all about standards and regulation, ensuring things are done consistently and are always controlled. It only makes sense then that the path to achieving Information Security compliance follows a defined and consistent process. If you partner with DNG on this journey, here are the steps we’ll follow:
Build Your Team
- Project Manager: Someone needs to be responsible for implementing your ISMS.
- Project Sponsor: This may be the same person as the Project Manager in a small organisation, but they need to have the authority to make things happen and to get board/executive buy-in.
Define Your ISMS
- Goal Definition: What are the objectives of the ISMS. Are you aiming for a specific certification (e.g. SOC2, HIPAA) or aligning with an industry framework (e.g. CIS, GDPR, Essential Eight). An objective is of no value if you cannot measure an outcome, so how do you measure these objectives to ensure you are moving toward the goal.
- Risk Appetite: How much uncertainty (risk) is your organisation prepared to take to meet your objectives. The appetite is influenced by the importance of those objectives while the legislative requirements of the Australian Privacy Principles (APP) will also impact your risk appetite. The risk appetite then becomes the measuring stick when performing the risk management functions – assessment and treatment – outlined below.
- Document Policies and Procedures: Create clear policies (high-level guidelines) and procedures (the how-to’s) to define expectations and how your ISMS will function.
Implementation
- Information Inventory: Identify where your sensitive information is stored, including physical and digital files, across all locations, departments, tools and systems, and devices. This allows you to define the scope of the ISMS, or the depth and breadth to which you need to evaluate your risk.
- Risk Assessment: Evaluate the risks associated with your products or services. Consider your tolerance for these risks (your risk appetite). The Risk Assessment shapes your selection of controls in the next stage.
- Risk Treatment Plan: This document is an extension of the assessment and outlines how you will treat each of your risks. Types of treatment are to mitigate (prevent), avoid (don’t do the risky action), transfer (use a third party) or accept (cost of treatment is greater than the possible damage). The treatment plan needs a detailed course of action and a responsible person for each risk.
- Select Controls: Security controls are the actionable tasks that need to happen. These can include monitoring the various pieces of software / technology, scanning for vulnerabilities on a regular basis and ensuring all aspects of your security framework are reviewed on a regular basis. You document all controls in a ‘Statement of Applicability’, indicating which are to be used and providing reasons why others are not to be used.
- Operational Measures: Implement practices and measures to protect against cyberattack, breaches, disaster events. This includes endpoint security software, firewalls, vulnerability/patch management and staff cybersecurity training.
- Train Your Team: Everyone has to do their part. Whether it’s a clean desk policy, workstation screen locks or checking visitors in at the front desk, an ISMS will affect everyone … but it shouldn’t be complicated!
- Continuous Effort: Information Security is an ongoing initiative that must be led by a key program manager within your organisation. This is not a one-off, set and forget process.
Prove Compliance
- Monitor: Continuously monitor controls and log events and any required treatments.
- Review: Always be looking for ways to improve your ISMS. Review implementation of controls at an operational level. Perform management reviews of risk assessment and treatment plans. Provide your board and executive with regular feedback showing the changes that have occurred throughout the process.
- Perform Audits: Audits don’t have to be performed by an external party. You can validate compliance through your own routine audits.
Related Information
How Do You Define Information Security?
Because we work in the tech world, we just love fancy names and acronyms. So, to help out, we’ve defined a few of terms you’ll find when considering your own
Why your staff needs Security Awareness Training
Human error is still the biggest cause of security incidents. Ultimately, security awareness training is an investment in strengthening the overall security posture of your business by making employees an
Developing a Governance, Risk Management and Compliance Framework
The Governance, Risk, and Compliance (GRC) framework is a structured approach that organisations use to align their strategies, processes, and regulations to effectively manage risk, ensure compliance with laws and
What is an IT Security Audit?
An IT security audit is a systematic evaluation of your information technology infrastructure, policies, procedures, and practices to assess your current security posture. The primary goal is to identify potential
Don't leave your data security and compliance to chance
Reach out to DNG Technology today to discuss how we can help you protect your data, manage risk, and achieve compliance. Your information security is our top priority and it should be yours.