On this blog we’ve talked about security as a path taken, rather than a destination reached. Over the next three posts we’re going to look at 21 concrete steps to walk down that path.
Reviewing these recommend steps will help you better understand the risks posed to your business.
1. Understand Your Threat Environment—Operating Risk vs. Fraud
Operating risk is anything that can go wrong with your business. This can be human error, a computer crash or an act of God, such as a hurricane or flood. Fraud is a type of operating risk, but should be considered separately as i's a deliberate act and requires a different management treatment. What internal and external operating risks and fraud opportunities is your business exposed to?
2. Understand the Tenets of Security Risk Management
If we think of your business as a pie chart, one slice may be product development; another may be sales and marketing; another operations and systems. Whatever your business, Security Risk Management should be in that pie chart—as an integrated slice of your business. Integration is tenet No. 1. And as a security professional in your company, your main job is to be a business enabler and evangelist to make this so.
3. Know Your Security Team
Who is your security team? I’ll tell you. It starts at the top:
• CEO/Principal/Owner—The buck stops here. If the top of the house doesn’t understand his or her invested stake, your whole program is diminished.
• Officers/Executives—They determine roles and model security-conscious behavior. This is how a protection culture is built.
• System Admin/Technical—The nuts and bolts of your tech security.
• Legal Counsel and Compliance—To keep the whole team abreast of changing legal and compliance considerations.
• Employees—Similar to the top of the house, if people doing your business and handling your data aren’t on-board and executing, the best policies in the world are useless.
4. Establish Security Policies and Practices
When drafting policies, ask yourself what assets need to be protected. What is valuable in your business? Computer code or cash, real estate or heavy metals, your type of business will guide you. With polices to protect those assets in place, publish them. Communicate them to everyone on your team and train employees in implementing them.
5. Continuity of Business and Disaster Recovery Planning
Weather, power failure, computer crashes—bad things happen. The key thing to do is mitigate risk. How do you do it?
• Identify threats to your business continuity.
• Assign responsibility and ownership of business continuity to appropriate members of your management team and insure that all threats are covered.
• Develop a realistic plan.
• Have data backup and off-site storage in place now.
• Test the plan.
• Review and update the plan as needed and at least annually.
Many businesses are regulated. They have a legal and ethical requirement to maintain privacy of employees and customer records. Know your industry. Certain records, like protected health information, require very specific protections. Plan for them.
7. Physical Space and Time
Implement concrete policies on employee theft, visitors in the office and physical building security. Today with the various cyberthreats, we’re often focus on topics such as computer security. Don’t forget to execute on the basics as well: Lock your front door!
With these steps your business is building a foundation of control. Next time we’ll look at building on that foundation: Steps 8 through 14.
With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.