Good Enough IT Risk Management

ISMS: "The value you can measure is the value you deliver"

[fa icon="calendar'] Monday, 12 November 2018 / by Jakob Holm Hansen under annual information security plan, ISMS, ISO 27001

[fa icon="comment"] 0 comments

ISMS performance monitoring allows security officers to document specific business value while also enhancing the level of security within the organisation. A Neupart white paper provides inspiration on how to select, define and monitor effects in an ISMS solution.

More [fa icon="long-arrow-right"]

EU Data Protection Regulation - How Hard Can It Be?

[fa icon="calendar'] Tuesday, 12 April 2016 / by Lars Neupart under Best practice, Information Security Management, ISMS

[fa icon="comment"] 0 comments

Granted, the wording of the new Data Protection Regulation we have just received
is complex. The new act entails many requirements as to how companies must process and protect personal data, and not least which processes must function within the companies. The Neupart team is experienced in finding practical solutions in simplifying compliance with information security requirements. We would like to present Neupart’s approach employed in the development of this application.

 

Download our 7-step guide to implenting the EU GDPR

 

The EU regulation requirements are incorporated into the SecureAware ISMS application. Using our latest addition you can conduct your first gap analysis of the EU directive.

In the below SecureAware window, the regulations are shown on the left-hand side, while on the right-hand side you will see a series of links to your information security manual. 

If your information security manual is in SecureAware ISMS, a large part of your
manual is already mapped to the new personal data requirements.

 

The reason why you can do the gap analysis so easily is that we have placed the EU regulations into the requirements library in SecureAware along with the other requirements already within.

The EU Data Protection Regulation is located in the SecureAware ISMS requirement library. 

 

However, there is even more good news. Once you know where the "holes" are in relation to the new regulations, we have made it possible to connect an efficient task management to your gap analysis. The task management allows you automatically to monitor and easily to report on your compliance status.

Efficient task management: Tasks are connected to the particular requirements. A task
can be anything from a simple "execute" task to a recurring process.

 

You can also use the task management to control ongoing, recurring tasks. Tasks related to your ongoing compliance with the new regulations.

Large companies supervise by means of periodically conducting an internal audit; this is also an area that is supported by the task management function within the application. 

It is easy to verify, inspect and conduct an internal audit. 
There is a history of who-what-when on the red-yellow-green progress.

 

This way, the processes that will run in each company that handles personal data can be facilitated. 

PS! We have an added benefit for those companies having their IT manuals in SecureAware: We have mapped a large part of your manual onto the new personal data requirements in advance.

At the present moment, the most recent revision of the regulation is placed in SecureAware ISMS. Now the final text is complete, SecureAware will soon be updated with that.

 

Learn more

Take part in our webinar and receive a number of shortcuts to how your company can more easily follow the new rules for personal data protection.

Learn more and register

 

Learn about SecureAware ISMS

More [fa icon="long-arrow-right"]

Can you make IT security sexy? - a Guide to Awareness Campaigns

[fa icon="calendar'] Tuesday, 09 June 2015 / by Lars Neupart under Best practice, Information Security Management, ISMS

[fa icon="comment"] 0 comments

Once you have read my article, you will have a good idea on how to approach your IT security awareness campaign. You will get concrete advice on choosing topics, forming alliances and how to measure how well your campaign worked.

IT security is hardly known for being the world's sexiest topic. In the eyes of many, it is time-consuming, limiting and boring. 

A boring housewife on a TV programme can get the help of a hairdresser, a stylist and fashion experts in highlighting her interesting sides. Similarly, you can give IT security a makeover in order to make the topic more accessible, relevant and exciting.

This is what you do:

  • get the support of the management
  • choose the right topics
  • meet people where they are 

The support of management

You must first and foremost ensure the involvement of the management. There are two reasons for this: 

For one thing, the employees should hear from the management why IT security is important. The message then carries more weight.

For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need, if you make it clear to the management as to why you need an awareness campaign. If an IT audit has resulted in findings and recommendations or if you need to follow ISO 27001, you will have a compelling argument. Awareness is a requirement set out in ISO 27001 and ISO 27002, so there is no way around this. A focus on IT security can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.

Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you to reach out to the employees in a language they understand.

Choose the right topics

With the backing of your new allies, you should now figure out the areas on which your awareness campaign should focus. There are many topics from which to choose, some heavier than others, and unnecessary information needs to be removed. 

Consider the problems you have experienced based on the ignorance of users. A few examples may be:

  • Guests to the company are not registered when they arrive and they walk around without access cards.
  • Documents with confidential information are lying around in an unlocked room.
  • Sensitive personal information is not sent through secure email (encrypted).

If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and of what they are unsure. You can also consider whether you recently began to use new systems or carry out tasks in a new manner. Have the employees become familiar with this or are there many mistakes?

You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must make sure to use simple and powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often. 

Meet people where they are

Now you need to go out and meet people where they are. The employees sit in front of their computers, they eat in the cafeteria and they go to Friday morning meetings. This is where you should meet them. One way to do this is by means of:

  • Happenings - Little funny things that get people talking. This can involve small figures or other such things placed on the employees’ table, or by handing out chocolate bars in exchange for them agreeing never to share their passwords with anybody. The possibilities are limited only by your imagination and it does not even have to be especially expensive.
  • Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
  • Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
  • Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why IT security is important.
  • Morning meetings - If everyone is assembled to a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
  • Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.

An employee awareness quiz can also show management that your awareness campaign has had an effect on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas in which you need to do more to train the employees.

So, can you make IT security sexy? You can at least come a long way when you make it accessible, relevant and interesting.

There are many programs that can help you make quizzes. The new SecureAware Quiz module from Neupart not only makes it possible for you to write your own questions and answers, but also follows up on how many have been answered correctly. You also get an entire library of questions/answers concerning IT security from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001. Read more here

Read more about the new Quiz module here

Other resources

Sign up for our other webinars and events here

Contact us for a personal demonstration of SecureAware


About the Author: Lone Forland is a product specialist at Neupart and offers instruction in awareness campaigns, among other topics. Lone Forland furthermore helps Neupart's customers get started with Neupart's ISMS tool, SecureAware, and serves as a liaison between customers and development.

More [fa icon="long-arrow-right"]

Why in the world should managers be interested in information security?

[fa icon="calendar'] Wednesday, 25 February 2015 / by Charlotte Colding under business continuity, compliance, it security audit, information security, ISO 27001, Best practice, Information Security Management, security requirements, ISMS, cyber attack, Risk management

[fa icon="comment"] 0 comments

You should be involved in security since security means something to your customers and because cyber attacks and security incidents are beginning to occur within all kinds of businesses. We have all seen the numerous examples of data breaches, attacks and other security incidents in the news. Often, one might expect or hope the involved organisations were better protected then they actually were. Information security is very much on the agenda, both in the business world and in the media.

Your customers, regardless of whether you sell directly to customers or to other businesses, are presently interested in the topic. That is why you as a manager and a senior executive should take an interest in whether your organisation is sufficiently prepared for a major cyber attack or a systems crash. That should be as good an argument as any! However, there are even more good reasons that I would like to share with you.

Brand image and profitability: Perhaps you have spent years slowly but surely building credibility for your brand name(s). You want your customer to have confidence in you. One security incident can quickly serve to reduce the trust and confidence you have gained to such a degree that even the best (or most expensive) image campaign will not be able to bring it back.

Fees: Add to this the enormous costs to you when you need to deal with a major security breach. Such costs are incurred both due to the incident itself and the following investigation, cleanup and restoration. Theft of company secrets and/or intellectual property rights, as well as industrial espionage can obviously be expensive and even a threat to the very existence of some companies. Afterward, it will surely be shown that more investment in preventive security measures would have made good sense and would have saved money. Moreover, since the threat will continue to develop, it would be a good investment for the future as well.

Legal Statutes: You are subject to certain legal requirements demanding that you have a sufficient level of information security. Bear in mind present and future Personal Data Acts. The future EU personal data legislation (an ordinance) is expected to passed so that it will apply in all EU Member States. It provides for companies to pay fines of perhaps as much as 5% of their turnover for computer security breaches. There is a comprehensive requirement that the parties be notified (data breach notification), which is both expensive and difficult to perform. Add to this a number of industry-specific requirements: for example, that financial enterprises must comply with financial supervisory authorities' requirements concerning information security, requirements placed on the energy sector, the health sector and for state-run enterprises to comply with the ISO 27001 standard.

Governance Requirements: Corporate governance requirements determine 1) that management set out the procedures necessary for risk management and internal inspections, 2) that the administration take a position on strategic and commercial risks and 3) that managers who negligently has caused the company to suffer damages shall pay compensation for such damages. In other words, there is also an array of legislative reasons to be interested in information security.

Review: You likely also strive for your review to be consistent with most of everything that might be found in those long review guidelines. Your information security will also be reviewed. Keep in mind as well, that regardless of the fact that accounting firms play a dubious double role (at the same time offering a wide range of both executive and advisory consultancy services within the field of information security), it pays for you to prepare for the review proactively. It should be easy for you to document that you are in control of your information security.

However, what should you as an executive do, in addition to taking an interest in the topic? Easy: You should A) communicate to your organisation that security is important, that it is a basic condition for your business activities and b) you should investigate whether you have allocated sufficient financial and human capital in your organisation to deal with the everyday, practical management of your information security.

If you want to get a little bit deeper into the subject, I recommend you examine your maturity level in these areas:

  1. Policies, rules, procedures and documentation

  2. Risk management (risk assessment and continual risk treatment)

  3. Incident management and contingency plans

Proper governance and management of information security has become a common best practice simply because it has become a necessary condition for most commercial activities. That is why a manager should be interested in information security.

 

PS I have summarized the six reasons for you in this document here

 

PS: Click here to follow us on LinkedIn

More [fa icon="long-arrow-right"]

Choosing the right scenarios for your business continuity plans

[fa icon="calendar'] Wednesday, 29 October 2014 / by Charlotte Colding under business continuity strategy, Business Continuity Planning, Information Security Management, business continuity scenario, ISMS, BCP, disaster recovery

[fa icon="comment"] 0 comments

By Jakob Holm Hansen, Neupart


Our most recent blog post dealt with The three golden rules of business continuity planning. This time, we continue in the world of business continuity planning and take a closer look at scenarios and strategies.

More [fa icon="long-arrow-right"]

The three golden rules of business continuity planning

[fa icon="calendar'] Wednesday, 27 August 2014 / by Charlotte Colding under Business Continuity Planning, Information Security Management, IT risk assessment, information security policies, SecureAware BCP, ISMS, BCP

[fa icon="comment"] 0 comments

By Jakob Holm Hansen, Neupart

"How long should a business continuity plan be?" This is a question we often hear from our customers. My answer usually is: "As short as possible!" The truth is that the perfect business continuity plan (if such a thing exists) should be three - sometimes contradictory - things at once:

More [fa icon="long-arrow-right"]

Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

[fa icon="calendar'] Friday, 04 April 2014 / by Charlotte Colding under ISO 27001:2013, ISO 27001, Information Security Management, Information risk management, overview information security management, Compliance and task management, plan-do-check-act, ISMS, ISO Standards

[fa icon="comment"] 0 comments

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System).

More [fa icon="long-arrow-right"]

Do you need to explain what is ISO 27001?

[fa icon="calendar'] Thursday, 13 February 2014 / by Lars Neupart under ISO 27001, Information Security Management, Information risk management, ISMS

[fa icon="comment"] 0 comments

We've produced this short clip to help you communicate the main components of an Information Security Management System (ISMS), as described in ISO 27001.

  
More [fa icon="long-arrow-right"]

How does the ISO 27001:2013 affect your risk management process?

[fa icon="calendar'] Monday, 29 July 2013 / by Charlotte Colding under ISO 27001, Information Security Standards, Information risk management, ISMS, Risk management, SecureAware, ISO 27001 revision, ISO 27005

[fa icon="comment"] 0 comments

ISO / IEC 27001 was introduced in 2005 and has become a very popular international standard. Now ISO 27001 is being revised and a new version is due later in 2013. I’ve looked at the changes before and outlined the main differences between the old and the new version.

More [fa icon="long-arrow-right"]

Three ways the ISO 27001 revision will affect your company

[fa icon="calendar'] Monday, 15 April 2013 / by Kristian Bøg Frandsen under ISO 27001, KPI, ISMS, ISO 27001 revision, ISO 27005, ISO 31000

[fa icon="comment"] 0 comments

It has been eight years since the ISO 27001 standard was last revised but now changes are coming.

More [fa icon="long-arrow-right"]

Good enough IT risk management

The Neupart blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts