Here we will discuss the process to look out for when seeking to protect your organization. Specifically, we will be looking into shared information and information systems.
How to Protect Publicly Available Information
Confidential, sensitive, and non-public shared information needs to be protected. But perhaps the less obvious, but also important, is that publicly available information that is provided or presented by organizations must be protected as well. An organization’s Security Program should always focus on the confidentiality, integrity, and availability of information assets, including the information itself.
When it comes to publicly available information, the focus should be on information integrity. Even with publicly available information, organizations can be at risk if the information is misrepresented or incorrectly modified by unauthorized individuals.
What Can I Do?
Your organization should designate individuals that are authorized to post information onto any publicly accessible information system. This includes the public websites of your organization. Authorized individuals should be trained to ensure they can verify that publicly accessible information is accurate and does not contain any non-public data.
Before it even ends up online, proposed content should be reviewed before posting onto public systems to ensure there are no mistakes that include non-public information. Additionally, the content on publicly accessible systems should be checked for non-public information quarterly. Keeping records of these reviews should be held onto as evidence to support and protect your organization. So, what would a check look for?
Red-Face Test: This is a test, or check, that asks the question, would it cause embarrassment for your organization if this type of data is misrepresented? Not only does your organization need to ensure non-public data is not released on a publicly available system, like your website, but any public data you provide needs to be accurate. An incorrect press release, typographical errors in a job posting, or errors in email delivery are just a few examples that have the potential to cause embarrassment for your organization.
Security Requirements for Information System
Now that we have discussed protecting the company from shared public information, let us discuss information systems and why they should be protected.
Information systems are critical for the success of any organization. Several standard security requirements should be in place for every system or class of information systems. By defining and implementing these security requirements, your organization will benefit from its reliability. This, in turn, enables any organization to understand how to best protect themselves from threats and vulnerabilities.
These requirements are not for the development of systems and applications alone. They are also for the implementation, operation, and ongoing management of systems. Organizations are at risk of using improperly configured systems if standard requirements are not clearly defined, communicated, required, and implemented.
Documentation is Key
Standard operating procedures should be documented and maintained. This protects your company in the present and will keep it secure in the future. The documents should be secured and made available to all appropriate personnel who need them. This includes statements of business requirements for newly developed or newly purchased information systems or enhancements to existing systems. It is also beneficial to specify the security controls that need to be implemented for each system for future company leaders.
Security and Privacy
Security and privacy controls must be addressed in all phases of your project management. Every project, regardless of size or complexity, should address your organization’s defined Security Program controls. A large, complex project may include all or most of the defined security controls, while a smaller project may only be impacted by a small group of controls. In either case, your organization should begin to ensure each project addresses in-scope controls, even if many of them are not applicable. It is good to remain flexible, if a dedicated project manager, or team of project managers, is not appropriate for the size of your organization, choose a member of the project team who will be responsible for ensuring applicable security controls are addressed.
I hope this has helped you and your organization learn more about protecting yourself and your company. To learn more about this issue, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a complimentary synopsis of the 100 Security Program Pitfalls eBook today.