Significant changes in working arrangements have occurred for many people during 2020, and as 2021 commences, further changes are very likely. In the last 10 months the COVID-19 pandemic drove an increased reliance on technology by organisations in order to ensure employees and customers could function through a very disruptive period.
When announcing their most recent quarterly financial results Microsoft CEO Satya Nadella was quoted as saying – “what we have witnessed over the past year is the dawn of a second wave of digital transformation sweeping every company and every industry.”
In moving to adopt or adapt technology it is important to continually re-assess processes, procedures and technology controls to mitigate against cybersecurity risks and threats. It’s also increasingly important to recognise and focus on the role that people play in security risk management and exposure. Plenty of organisations have experienced pressure in the short to medium term on the IT operations front, which makes it very challenging for an already resource constrained IT team to maintain any consistent focus on developing strategic and proactive initiatives that drive long term programmatic IT security improvement.
The uncomfortable truth is that Human Factors are ultimately the weak link in “business as usual” situations, as a result organisations who should readily be able to demonstrate a degree of security maturity are often very exposed. In the current environment, where business is not “as usual,” the level of cybersecurity risk and exposure has increased as users get to grips with using new technology and adapting their work practices.
Your “IT Highway Code”
The best place to start improving your security maturity is to build a solid foundation of comprehensive IT Policies that establish common standards for operational system use, and also set a solid foundation for effective control of risk as part of your Security Maturity Model.
By creating this organisational “IT highway code” users know the guidelines and rules of operation, minimising accidental data breaches and unnecessary security risks. The main objective is therefore to protect corporate systems, and maintain data confidentiality, integrity and availability.
A comprehensive suite of policies will assist with the practice of good information governance upon which procedures, processes and informed technology investments can then be made.
Develop, Deliver, Maintain
Many organisations have opted to carry out policy development work, and then try to deal with the ongoing management of them, in-house. This approach has had limited effectiveness primarily because organisations don’t have the required resources in place to do such specialised work.
Some questions to consider when using in-house resources to develop, deliver and maintain IT policies –
- Do we have someone in the team that can write policy content in plain English?
- What is the appropriate level of policy content for our organisation?
- Is our existing policy content relevant, based on the technology we are using or now adopting?
- Who do we need to provide policies for – users, managers, technical team members, contractors, directors?
- How do we align policies with standards, best practice guidance and legislative requirements?
- Who else in the organisation do I need to engage with for input on this project?
- What is the timeline to start and finish drafting, reviewing and approving policies?
- Is there an agreed approach for delivering the finished content to the wider organisation?
- Once developed who will deal with changes to policy wording if the in-house author leaves, or our business requirements, technology choices, or standards change?
- What is the real cost of conducting this exercise in-house?
A Proven Alternative
Policy Management as a Service (PMaaS) from Protocol Policy Systems (PPS) is designed to assist organisations develop, deliver and maintain a comprehensive suite of IT policies tailored to their specific business requirements. A typical PMaaS project can be completed in 8 weeks (elapsed timeframe) and incorporates a 3 day workshop to facilitate and stimulate discussion between stakeholders.
All our policies are mapped to a range of international standards and best practice recommendations such IS27002, ISO27017, PCI-DSS, CyberEssential Plus, to name but a few. A number of additional supporting elements are provided with the service including a range of templated procedural forms, security awareness videos, a glossary and topic index. A key element of the service sees PPS provide ongoing assistance to keep all the content up to date with changes in areas such as standards, policy wording, and terminology. This ensures our customers have ongoing continuity in terms of access to subject matter expertise, and are not reliant on finding someone in-house to keep IT policies relevant and up to date.
To view a selection of case studies – Click here
For a further discussion, please contact Emma Tickner