IT Governance Blog on IT governance, risk management, compliance and information security.

Ever called up a call centre and been told “can’t give you that information, the Data Protection Act won’t let me”?

What rot.

Organisations do have a tendency to hide behind the Data Protection Act, which leads to the perception that the act is a bad thing.  The perception is that It stops people from doing what they want to do, when they want to do it.  In my time with the Police, I would often find out that Police officers would have gotten information in um… how shall we say… interesting ways.  I would ask “Why didn’t you come and talk to us about proper disclosure?”, they would respond “I thought you would say no”…

And there is the problem.  The DPA is often seen as something that gets in the way, that stops Data from flowing.  Nothing could be further from the truth.  The reason the act was created in the UK was in response to a European directive to enable common data rules across the EU.  In order to ensure that where ever you are in the EU your data is treated equally and ENABLE it to flow cross borders.   The DPA doesn’t really say “no”.  What it says is “yes, as long as you have given some thought to doing it safely”.  The problem is that organisations see these safeguards as barriers, rather than ways to take products and services to market in confident and ethical ways.  I have always viewed the act as a business enabler.

Let’s take a look at some of the principles for example;

Principle 2 – this requires you to specify purposes that you process personal data to the data subject.  And why not?  A great chance to demonstrate your ethical conduct.  To inform your customers on what you do and how you do it, and ensure that there are no catches or surprises for them – thus engendering customer trust.

Principle 3 – personal data shall be adequate, relevant and not excessive.  And why should it be anything else?  Collect enough to make accurate decisions weighing up all the facts, but not too much.  Irrelevant and excessive data will “clog up” your business processes, costs to store it and creates an overhead.

Principle 4 – Accurate and up to date.  Do you really want to hold out of date, and inaccurate information?  Make the wrong decisions? send things to the wrong place?  Charge the wrong amounts? 

Principle 5 – Retain for no longer than necessary.  Not exactly rocket science either.  Keep things for as long as you need, then get rid.  Data storage costs and good housekeeping will ensure a lower cost base in terms of storage space and data management.

Principle 7 – appropriate technical and organisational security.  Note the word appropriate.  The Data Protection act does not mandate a security level – it just asks you implement what you feel is appropriate to your risks and apply it consistently.  No restrictions here, no “DPA says no”.  It is the organisation that decides on the response and applies their policy on what is “appropriate”.  You should remind the call centre operative above who tells you the DPA is preventing you from accessing your record that it is their company policy – their response to the DPA rather than the act itself – that is actually the issue.

I could go through each and every principle, but it seems to me that the Data Protection Act is a force for business enablement, focussing on good practice in information management, creating data flows that focus on good customer service, a level of complexity only commensurate with the size and nature of the organisation, which enables organisations to go to confident with good data management, customer trust and cost effective approaches to good information governance.

So don’t shun the DPA as an overhead.  Embrace it as a force to take your products and services to market in a safe, secure, ethical and cost effective manner.  Why would you want to do anything else?

So there you are … someone has mentioned ISO 27001 and that you ought to be certified or ‘have ISO 27001’, as it might be “good for business”. You have heard of ISO 27001, but have always dismissed it as being something to think about. Now, however, maybe it’s time to look into it a bit more seriously.

Quick search on the Internet – blimey there’s loads of stuff. Mostly from consultants and others trying to sell you stuff.

Resort to Wikipedia … it at least gives you an idea.

Aha – ISO 27001 is an international standard.

Next step then – get hold of the Standard.

Online order—wait a while until download completed … and … ’Open’ … and … oh! This looks so … ah! Exciting!

Read the opening bits … International Standard … Foreward … Introduction … Process Approach … Scope … Definitions … Ah! Here we are … Information Security Management System: General requirements…

…Scope … yes, Policy … ahem … ’Define a risk assessment approach’ … uh?

Our risk assessment approach is based on what I or the IT Manager thinks. What do they mean?

Read a bit more … ’identify the risks’ … ’analyse and evaluate the risk’ … ’identify and evaluate options for the treatment of risk’…

This ‘risk’ thing keeps coming up.

Then you spot a note “Risk assessment methodologies are discussed in ISO/IEC TR 13335-3”.

So a search on “ISO/IEC TR 13335-3”

This time you find that “ISO 27005:2011 supersedes ISO/IEC TR 13335-3” (can’t they ever get these standards sorted?)

Maybe purchase ISO 27005:2011?

Not sure – purchasing all these standards might get pricey. Plus what does it mean?

Perhaps a search for “ISO 27001 risk assessment”? Might that help?

That’s better. Now here’s something actually helpful. It is a page about “ISO 27001 Risk Assessments”. It’s written in plain English and it suggests that a tool might help, and there is even a free demo so I can try it out for myself.

I click on the links on this page, and it shows me a whole wealth of information telling me in a clear manner exactly what I need. Want to know where I went? Right here.

As for ISO 27005? I’ll bear it in mind, but that tool is way cool for risk assessments.

The world has become a far riskier place to do business. As on-line business continues to grow, organisations must face the risks that come with outsourcing and using third party services, larger supply chains and the increase in cyber attacks and cyber fraud. In this modern age, businesses have a dependence on IT, networks and wireless and mobile communications; all of which come with their own security issues.

The driving force for a successful business is to have the right information at the right time, in order to make well-informed decisions. Not only is information the key to business success, but the protection of this information is equally important.

According to a survey carried out by the Ponemon Institute, 90% of businesses that took part have fallen victim to a cyber security breach at least once in the past 12 months. What can be a more daunting statistics?

The survey showed that for 59% of the respondents the most severe consequence of any breach was the theft of information assets followed by business disruption.

There have been recent cyber attacks on high profile organisations including Sony, Nintendo, Google Gmail, Citi Bank and the International Monetary Fund (IMF). Oh, should we mention Arizona State Police too?

Are cyber attacks on the rise?

Whilst only 43% of the respondents in the survey  indicated that there was a significant increase in the frequency of cyber attacks, however 77% of them believe that the attacks have become more severe. 34% said they had low confidence in the ability of their organisation’s IT infrastructure to prevent a network security breach in the future. Astonishingly, only 11% of respondents knew the source of all their network’s security breaches.

So what is wrong?

The huge increase in cyber attacks this year is due, in part, to organisations failing to adopt effective security. The recession has contributed to a cutback in manpower, leaving many companies’ IT security departments understaffed. Additionally, the growing use of connected technology by employees means that corporate data is increasingly being downloaded and stored on private devices, raising further security risks.

The increasing threats to organisations worldwide from cyber attacks needs to be addressed by better information security management, using established standards such as ISO 27001. In order to protect the confidentiality, availability and integrity of the information assets, implementing ISO 27001 is the first logic step towards developing an efficient cyber security strategy.

Information security – a concern for all

The cost of cyber attacks to business and business continuity are enormous and the stakes are high. Now is the time for CEOs, CFOs, CIOs and management staff to ask themselves these questions: When was the last time you discussed information security issues at your board meetings or tested your system? Does your organisation have an ongoing security training programme? Does it implement a best practice approach? If you don’t know the answer to these questions, then you would know who to blame, if you get hacked. Or maybe you still think that cyber attacks only affect others, but not you? Perhaps those at Citibank and Sony were thinking just the same.

Whenever any information security system is being implemented or improved there are three basic tenets to take into account:

• People
• Technology
• Processes

 You can spend all the money you like on technology or tighten the processes up to the n^th degree, but unless people are considered the security will not be watertight.

It is people who make or break security systems. Some will cause issues due to making mistakes, others may be tempted through some nefarious activity, or because they are disgruntled for some reason. A classic case of this is the case with T-Mobile’s employees, who unlawfully sold customers’ personal data to third parties. Most employees, however, compromise security through oversights.

Holding open doors for people we don’t know, letting them have access to buildings, choosing easily guessed passwords, leaving confidential papers on desks and printers, not keeping laptop screens away from prying eyes, discussing sensitive items on a mobile in public places. Who hasn’t heard someone on a train ordering stuff using a mobile where they give their name, address, card number and CVV code?

 If people can do that with their sensitive personal data, what might they be doing inadvertently with your data?

Getting people on board is vital for a comprehensive security system. Yes, you do have to have the right processes for them to follow and the technology has to be secure in itself. There are things you can do to inhibit people’s behaviour or to prevent breaches. The sort of technology might be encryption techniques for mobile devices (data sticks, laptops, mobile phones). It might be some form of endpoint protection. All of these help, but they do not in themselves afford full security.

So, how to bring people on board? Mostly, it is about communication. Share with your staff what you want to achieve, ask them to help you. Above all, provide them with training on what you consider acceptable and unacceptable behaviour. In particular, raise their awareness of how they can improve or compromise security. Point out what bad things can happen and what good practices they can employ.

This type of training can be dull, some of you will think. However, you can make it entertaining or even interactive – that is always a plus. You might consider introducing an e-learning course to your staff, or installing animated graphic reminders on their computers, or hanging information security awareness posters on the wall, or presenting them with a book on the subject. Whichever of these options you chose (why not all of them?), one is sure, you won’t be wrong.

A blog about “safety” and what is means to be “safe”. Often depressing is the fact that there is no such thing. The bad news is that nothing is ever 100% secure. Not if you want to actually be able to use the information anyway! 

That does not mean however, we should throw our hands up in the air and give up, quite the opposite. “Safety” like security is a relative term, and it always comes down to an organisations Risk appetite. A good security architecture is always risk driven, with a response proportionate to both the value of the assets and the risk posed by the threats arrayed against them. But I’ll save risk assessment for a later blog…

For the moment let’s consider the qualities of the asset we are trying to protect. I’ll take you back to my much maligned “Joes Bloggs” view of information security, in which he states ‘it’s about keeping people out of computer, innit?’. My last blog dispelled the myth that computers is our area of focus, now let’s deal with the other – “it’s about keeping people out”.

Now as we’ve said, to keep everybody out is not possible. It’s also a very negative view of security which will lead the organisation concerned to think you are just there to stop them doing business. I’ve lost count of the times that security is seen as a business barrier, not the business enabler it should be.

Clearly one of the aims of security is about “keeping the right people in”. We call this CONFIDENTIALITY. Probably most peoples’ first concern, and quite correctly too. However, it’s only one of the trio that make up our security “CIA”.

Some organisations have no confidentiality concerns at all. Say a public sector organisation only concerned with ensuring public information is on the web 24x7x365. You ask any IT department when their stakeholders start to complain, and rarely will they say it’s when information is given out, but instead when it’s unable to be gotten to or used at all. The system is down, the network is out or slow, the access is restricted. In today’s modern day and age we are used to “always on” and “instant access”. What concerns people mostly is really the AVAILABILITY of the information assets.

Finally, how would you feel if your bank dropped a couple of zeros from your bank account? How annoying is it when your name is spelt incorrectly by your utility company? What are the consequences if you’ve been mislabelled a debtor, or a criminal, or your penicillin allergy has been missed off your medical file? Information has to be accurate, up to date and relevant to be useful. Acting on damaged, corrupt or simply wrongly input data can have serious and far reaching consequences. We call this third quality of the information it’s INTEGRITY.

It’s the CIA that protects us from DDD.

• Disruption vs. Availability
• Damage vs. Integrity
• Disclosure vs. Confidentiality

Getting the balance right…
Organisations will have a different Confidentiality, Integrity and Availability (CIA) balance. For some, confidentiality will be the most important, for others it may not be relevant at all as long as it is available and accurate. Considering the threat of a fire to our building assets, the main damage to be caused is that the asset becomes unavailable, or its integrity is damaged – once the building is burnt to the ground – let’s face it – the confidentiality of the information is inside is pretty much assured.

So we are left with the question of finding the right balance for your organisation. Looking at CIA and the question of security vs. usability, risk vs. reward, cost vs. benefit? Yes, nothing is 100% secure, but we should do our best to find a way that will give us the “most bang for our buck”. A system that will fit your organisation, enable it, not disable it. Add value and allow you to focus your priorities on the key qualities of the key assets.

Safe may be a relative term, but information security is specific, in that it aims to target the correct qualities of the correct assets in a balanced way to allow you to conduct business in confidence.

“Beauty is in the eye of the beholder…”

Well not an easy question to answer as you may think. It will mean different things to different people. If I ask Joe Bloggs on the street, they will probably say something along the lines of “it’s about keeping people out of computers – innit?” – Ugh.  I’m constantly confused with some sort of glorified IT technician, if I’m asked my job title at a party (yes I do go to some!) and I mention information security I’m normally asked to help fix their printer/laptop/PC. Again Ugh.

I normally then have to explain that I “help organisations keep their information safe”, whether this be physical, human, IT, legally, paperbased or otherwise. And thats an interesting place to start. “Safe” for one organisation is not the same as “safe” for another. Security is a subjective thing.

Consider an organisation that is a top secret nuclear bunker against three men making furniture in a shed. Clearly they both have different needs to keep their information safe. The “3 men in a shed” will likely have the following as appropriate measures;

• Padlock on the door
• Fire extinguisher
• Somewhere else to work if it all goes wrong
• Insurance

Even the last two bullets here are questionable! We’d hope a top secret military installation would have a little more measures than this, motion detection, CCTV, high fences, guards, dogs, guns, multiple layers of protection, underground location etc etc… (still not mentioned a computer yet!)

So even here we can see security is a variable thing. It is entirely dependent on the risk posed and threats arrayed against the particular organisation, the nature of the organisation, and the particular nature of the information itself – its value, format, type, importance, consequence of loss etc. Of course naturally your response will vary dependant on the risks faced…

…Or that’s what you would think. In my experience a common bad practice in security management is treating all information equally, normally a consequence of ownership of information being left to the IT division rather than the “business”. Naturally IT departments will focus on networks and systems en entire, and not the data itself – therefore all data receives the same level of protection, without taking into account its value. Typically it will mean high sensitivity data does not receive enough security, and low sensitivity information receives too much seccurity(and therefore wasting money and resource). 

We must also consider the information environment itself. Information does not exist on its own, just floating in the ether. It may be stored in a computer, on a bit of paper, cctv tape, removable media, inside peoples’ minds, over networks, spoken over the phone, is stored within buildings and software. In information security we often have to protect the whole environment in order to protect the information correctly. A good way of looking at “information asset classes” is as follows…

• The information and data itself
• Processes and working practices
• Software, hardware, systems and medium of storage/transport
• Physical facilities and locations
• Systems and services that allow facilities to operate (electricity/water/gas/lifts/telephony etc)
• People (not only the user, but cleaners, third parties, internet users etc etc)
• Intangibles (brand, legals, compliance, reputation, share price, media image)*

*An interesting note here is that the senior management are generally concerned with the final point on the list – which can often be the consequence of an information security breach – these are the assets you are really protecting!

Therefore the “IT centric” approach will not take into account the physical office environment, human factors, paper based records, legal requirements, working practices, remote working etc etc. This leaves a huge gap in the security regime, which has to be holistic to be in any way effective.

“The chain is only as strong as its weakest link…”

One of the greatest problems of information security, is the one of perceived ownership. IT will think the business owns information, the business will think it is IT. Rather than pointing fingers at each other we all need to step up and play our part.  Only a joined up response will holistically protect information appropriately with all stakeholders helping to pursue a common goal, protecting information appropriately to its value.

Most are aware that BS25999-2 (the requirements for a business continuity management system) will be becoming an international standard in the future. The aim is to have this published by the end of 2011, but as ever, there will be a long transitional phase given by the certification bodies, probably at least 2 years after publication.

It will be “ISO 22301, Societal security — Preparedness and continuity management systems – Requirements” and is currently a “DIS” (Draft International Standard).

As with the draft ISO/IEC 27001:2013 (information security management) nothing is final yet, but it uses the 10 clause format that is to be the new common format for management system standards, as below;

1. Scope
2. Normative references
3. Terms and definitions
4. General requirements
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

I reiterate – ISO 22301 is not final, and subject to change. However, as with the ISO 27001 Draft, requirements for procedures such as record control have disappeared (as records are now considered a type of document), similarly preventive action has been aligned with risk treatment and so the requirements for a preventive action procedure have gone too. Most of the BC requirements stay similar but are more fully and specifically defined.

Most of the familiar “Plan Do Check Act” content seems to fall at present within section 8 of the new format, which I’m personally not sure is how the format was intended to be used, but I’m sure these kinks will be ironed out as it gets closer to publication.

Please also note that BS25999-1 (the code of practice) has already been superseded by “ISO 22399:2007 – Societal security – Guideline for incident preparedness and operational continuity management” already published from ISO.

We expect the moving from BS 25999 to ISO 22301 to be similar to that experienced by organisations moving from BS 7799 to ISO 27001, as BS 25999 is the document ISO 22301 has used for its foundations. As such there is no need for organisations to hold back any BS 25999 certification plans to wait for ISO 22301. To adopt best practice in business continuity management, BS 25999 is still the recommended solution, and will serve as the best route towards compliance to ISO 22301 when it finally comes into force.

I often say this to clients, but this is advise that often goes unheeded.  These days integrated management systems are becoming more common place.  A lot of people are moving away from ISO 9001 (quality management) and are instead utilising increasingly diverse management system frameworks, ISO 27001 (information security), BS 25999-2 (business continuity), ISO 14001 (environment) etc etc.

All well and good.  The problem comes when trying to “sell” these to staff.  Frequently, these management systems are perceived as heavy amounts of documentation without any real business benefit to the end user – the staff and management.  More of an overhead, especially when the key driver comes not from an internal desire to improve, but from an external tender requirement placed on the organisation concerned.  The task is given to an individual, who then spends hours writing the documents and putting them in a collated mighty tome, that then sits on the shelf, unused and unloved until the certification auditor arrives.  This approach may well be more of a cost to the business than a benefit.

All management systems have a similar chassis, a series of seven documented procedures that are common, internal audit, management review, corrective action, preventive action, document control, record control and exception management (be these security incidents or non conforming products).  In fact, the news from ISO is that subsequent revisions to these standards will further harmonise these management system documents, so you know these common areas will even have the same clause number from standard to standard.

So what does this mean for a business?  It means that you don’t need weighty tomes for each standard.  It means that management systems can be integrated, with a single business wide document that governs the whole of the business, that does not have to refer to the management system standards at all.  Why have an ISO 27001 document control procedure, a 14001 document control procedure and a 9001 document control procedure, when instead you can have a single business wide document that tells you how the business as a whole manages documents?  The fact that this business wide procedure meets the relevant standards should be a happy coincidence, not the driving goal.  It is worth remembering that it is the certification body’s assessor’s job to evidence that you are meeting the standards, not yours by littering your documents with references to standards and standard clause numbering conventions.

This approach means that the management system begins to fade from your average users eyes, they don’t care what ISO 9001 or ISO 27001 says, but if you tell them all their documents have to meet this procedure because it is what your business expects (not some external standard), then they will probably get on board.  The management system stops being some external requirement, and just “what we do as a business”, embedded within the culture.

The other two major factors here are management commitment, and local ownership.  If either is lacking the management system may fail.  Frequently the management nominate an individual to write the MS documentation and this individual is then engaged in writing meaty tomes that no one else will use or read.  It is worth remembering that these are management systems and most will have a business wide scope.   The management, instead of nominating an individual should realise how important that this is embedded business wide and be adopted by the whole of the business as a cultural change, and take ownership themselves as a methodology to run the business, not as a single project which has been forced on them.  Embracing the change will reap the benefits, begrudgingly chucking a single resource at it will only produce cost.

Finally, the best way to engage the business is to encourage local ownership.  This means abandoning the huge manual and splitting up the documents into a framework of smaller documents, much more easily updated and owned locally, rather than controlled centrally in some goliath book that rests on the shelf.  They are much more easily updated, by those who need to update them.

All MS standards have a requirement for training awareness and competency, which is the remit of the HR department.  So why then, is the quality/information security manager writing these in isolation as part of his huge manual?  Who is best to write a business procedure, someone remote from the process, or the people who actually do it?  To embed management systems in the culture of the business, individuals within the business must own their own process documentation, and the organisation will be better off for it.  HR write the HR docs, IT write the IT docs, Operations write the operational documents.  The standard has an internal audit mechanism to police these are completed, and a document control procedure to make sure they are all looking consistent.  Electronic document storage tools similar to “sharepoint” and cloud based storage solutions can help in their overall management.

And if the staff ask why they must document what they do?  Not because the ISO standard tells you too, but because it is good business practice.  Because the organisation itself requires it to be.  It is embedded in the organisations culture, because the organisation wants to have a mature level of corporate governance. 

Management systems with proper levels of management commitment, embedded in the culture of the business, locally owned and split into a framework of business focussed activities can reap huge reward.  Those owned by a single individual, collated into a huge folder no one looks at, uses or reads, pulled off the shelf for update shortly before the assessor arrives, will only ever be a cost.

The best management systems are invisible.  They are “just what we do as a business”.

Coming to a standards office near you is ISO 50001. Due to be published in early 2011, this will be the definitive Energy Management Standard. Currently, the de facto standard for energy management is EN 16001:2009 ‘Energy management systems. Requirements with guidance for use’. This standard is intended to help all organisations irrespective of their size, geographical location, products, services or marketplace to establish the processes and systems necessary for managing and improving energy efficiency. In turn, this helps reduce emissions and green house gases.

Having an EN16001 Energy Management System will enable any organisation to:

• Improve energy use performance in a systematic way
• Establish an energy management system
• Ensure energy management conforms with stated policy
• Demonstrate to stakeholders and others the organisation’s commitment to energy use improvement
• Allow certification of the Energy Management System by an accredited third party.

EN 16001 is currently a European standard (the EN designator indicating it is a ‘European Norm’). However, the International Standards Organisation (ISO) has taken up this standard and is planning to publish the international version as ISO 50001 and, surprise, surprise, will also be called “Energy management systems — Requirements with guidance for use”. Currently, the international standard version is in the voting stage as a Draft International Standard. If all goes well expected publication will be in early 2011. Thus, certainly for a while EN 16001 and ISO 50001 will sit alongside one another. Those of you who have already started on EN 16001 programmes fear not: one of the prime aims in writing the international version has been to retain compatibility between EN 16001 and ISO 50001 thus ensuring early adopters of the former standard will not lose out. It is anticipated that those certifying to EN16001 should have only minimal transitional requirements to achieve ISO 50001 status.

Confused? You certainly should be. Well after reading this hopefully it will clarify the situation and remove doubt. If you still are in need of succour why not call IT Governance (+44(0)845 070 1570) and talk it through.

The contents of EN 16001 are:

(more…)

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.