Management Commitment to Security
How Important Is Security Management?
Organisational leaders, including board directors, business executives, chief information officers, and managers of corporate audit, security, legal, line-of-business, privacy, and supply chain, all must play a role in making and reinforcing the business case for effective security. Trust, reputation, brand, stakeholder value, and customer retention are at stake if security management is performed poorly. Attentive organisations are much more competent in using security to mitigate risk if their leaders treat it as essential to the business and are aware and knowledgeable about security issues.
It is difficult, if not impossible, to sustain security improvement and move it into everyday organisational culture and practice without senior management commitment and ongoing reinforcement.
What Is The Purpose Of A Security Policy?
Clear, concise policies serve to enact the intent of the organisation and help fulfil organisational objectives. A policy typically outlines specific requirements and rules that must be met, including appropriate behaviour and consequences for unacceptable behaviour.
A Security Policy Specifies:
Security Policy Categories
Acceptable Use (for users, system administrators, security personnel, and outside parties)
Host Security And Application Security
Change Management (patch management)
Identity Management (provisioning, use of passwords, other means of authentication)
Requirements For All Devices With Network Access
Areas of Security
You need to identify the organisation’s most critical assets and where those assets are most at risk in order to help select and prioritise security practices to implement during deployment and operations.
It is important to note that risk assessments must be performed on a periodic basis (such as annually), as the risk and threat landscape is constantly changing. A high-priority risk today (and the security controls necessary to mitigate it) may be overtaken by an even higher priority risk tomorrow.
As with any project, a strategy and plan are necessary to successfully deploy and operate systems and software to meet security requirements and sustain a desired security posture. Security strategies and plans can be integrated into organisational strategic and operational plans or they can be written as stand-alone documents.
Security plans describe and specify the following topics:
- Program/project management
- Standard operating procedures and processes
- Security budget
- Security tasks
- Security roles and responsibilities
- Security staff competencies
- Definition of what constitutes acceptable performance
A popular expression is “what gets measured, gets done.” Some form of security measures is necessary to determine if deployed security practices are meeting security requirements and how well they are doing so. Metrics, in part, serve to enact policies, plans, and strategies and to indicate progress (or not) toward mitigating security risks.
Having well-defined measures in place and regularly reported serves to direct the organisation’s attention based on the results. Visible measures positively influence human behaviour by invoking the desire to succeed and compare favourably with one’s peers.
The extent to which each of the prerequisites described above is in place depends on the organisation’s view of security’s role in meeting business objectives, including the need to mitigate security risks to critical business assets (information, processes, services, applications, and infrastructure).
Please complete the form below to find out more.
What Our Clients Say
“CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”
“I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”
“As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”