How to Successfully Implement Info Security Governance
Richard H.: Good afternoon, everyone. My name is Richard Harrison, Director of Sales at Diligent. I am also joined today by Jonathan Aluveaux, Information Security Engineer here at Diligent as well. Today we want to talk to you about Information Security Governance best practices, and how to successfully implement a security program company-wide. Before we get started today, I just want to go over a few housekeeping items. Today’s webinar should last about 20-25 minutes. We’re going to record it and a replay will be sent out to everyone attending after the session, or all registrants, rather. Please feel free to share the replay with your colleagues. As we go through this, feel free to ask your questions at any time by utilizing the questions panel that you’ll see in the GoToWebinar panel on the side of the screen.
Just one quick word about Diligent as an organization. We have been providing Board Portal and Collaboration Technology for the last 15 years or so. We have offices worldwide in 12 different locations, five data centers all over the world, including the US, Canada and Germany. For those that don’t know, we’ve helped over 4700 companies worldwide at making the transition to digital communication and collaboration solutions.
Before we start, I would like to take a look at the agenda for this presentation. What we’re going to address is, what is Information Security Governance? Why is Information Security Governance important? Who is responsible for developing Information Security Governance and then we’re going to address the five best practices we see for successful implementation.
At first, let’s have a quick look at what we mean when we talk about Information Security Governance. I’m going to defer here to the IT Governance Institute with their definition, which I quite like. The define this as, “A subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk and uses organizational resources responsibly and monitors the success or failure of the enterprise security program.” Jonathan?
Jonathan A.: Information Security Governance requires organizational structure, the assignment of roles and responsibilities, defined measurements and tasks, all strategically developed and defined by the Board of Directors in Executive Management.
Richard H.: Yep. Let’s look at why Information Security Governance is important.
Jonathan A.: Sure. Information Security Governance aims to set strategic measures to protect an organizations information, which can comprise of highly sensitive data, financial, legal, customer, partner, R&D, proprietary information and more. Organizations are increasingly holding more data that could be valuable to competitors or worse, criminals. It’s now commonplace that cyber criminals make headlines with high-profile hacks and data breaches.
Richard H.: Yes, I mean, the results from an attack can be pretty catastrophic. We see it in the news practically every week at the moment. The aftermath of a data breach can have damaging effects, even long after the incident and can really encompass anything from legal liabilities, brand reputation, certainly a lack of trust from customers and partners, associated revenue decreases. In fact, today or certainly in 2016, the average cost of a data breach went up to four million US dollars.
Really, companies need to be accountable to their partners as well and including customers, employees, so they are sure they’re working with a secure company. About three years ago there was a high-profile big US company that was hacked. The cyber criminals found a way into the organization, really, through the back door. That was via their payroll provider. It’s not necessarily that they’re going for the big companies. They might target a smaller private company and not necessarily with the intention of trying to steal any of their data. It might a partner’s data.
As corporate data becomes more accessible to employees by mobile devices and the cloud, it’s important for companies to keep up with security practices to ensure that only the right employees have access to that data. Of course, make sure criminals do not have access to that sensitive data either.
Next, let’s address who is actually responsible for Information Security Governance. Who would you say, Jonathan?
Jonathan A.: This should be a company-wide concern. Leadership such as the Board of Directors, Executive Management, or a steering committee are ultimately responsible for establishing and maintaining a framework for Information Security Governance. Information Security Governance requires strategic planning and decision making.
Richard H.: We’re going to go into a bit more depth here, step by step with these. Here are the five best practices around how we recommend you better position your organization for successful Security Governance. Taking a holistic approach to strategy, creating awareness and training throughout the organization, monitoring and measuring, because of course if you’re not measuring, how can you improve those. Foster open communication between all stakeholder and the fifth point we came up with was really promoting agility an adaptability.
Jonathan A.: Okay. Let’s start with number one. Take a holistic approach to strategy. Before implementing Information Security Governance, take a unified view of how security impacts your organization. A company-wide survey can help scope out what data needs to be protected. Here are some sample questions worth asking. What data needs to be protected? Where are the risks? What strategic policies should be created? Which teams should be responsible for carrying out the policies?
Richard H.: I think it’s also worth mentioning that you should get input from all stakeholders across the organization, like from IT, sales, marketing, operations, you have to include the legal departments as well, to understand all of their concerns and challenges as well as to assess the skills and expertise. Do you agree with that?
Jonathan A.: Yes. Working in silos may create additional obstacles and disparage security solutions. A holistic approach ensures leadership. The creators of Information Security Governance gain the control and visibility required.
Richard H.: Let’s move on to number two.
Jonathan A.: All right, you need to foster awareness and training, throughout the organization. Setting Information Security Governance and walking away can bring negative results such as a lack of adoption, a misunderstanding of policies, roles and responsibilities and in turn, introducing security vulnerabilities. Continuous adherence to security governance requires awareness, education and training for all involved.
Richard H.: On screen is some of the questions that we recommend considering. Jonathan, do you have any recommendations on how to ensure employees actually adhere to the Information Security Governance program?
Jonathan A.: Absolutely. Company-wide surveys, security seminars, and education on best practices are ways to keep security at the forefront for all employees. Demonstrate a commitment to security awareness, training and education. An organization can send team members to security training events or conferences to learn the latest best practices of industry. With the new knowledge gained, these individuals can share their insights with the larger organization.
Richard H.: Let’s move on to the third point.
Jonathan A.: All right. You need to monitor and measure. Information Security Governance requires constant monitoring, measuring, and tweaking. Consider which policies are working. Who is or isn’t following them? Are any policies impacting the companies reputation with it’s customers and partners? How often do you test your security measures? How often do data breaches occur? What is the response time for incidents? What security policies are working and which are not?
An organization should lean toward best practices and conduct mock data breach scenarios to test the response time and actions of its teams. The results can showcase what a company needs to work on and what they have nailed down.
Richard H.: I’ve seen, probably in the last year, more and more executive teams engaging in, essentially, war games around security breach scenarios. I’m seeing that more and more so that in the event of a data breach, they’ve got that nimble nurse. They know the steps that are in place so that they can address that far quicker than they would ordinarily.
Let’s move onto number four. Fostering open communication between all stakeholders. I mean, it’s vital that all stakeholders feel they can communicate directly with leadership. I think we’d all admit that that maybe isn’t always the case. Working as silos risks obfuscating important communication that relates to Security Governance. If a data breach occurs, do employees at any level of the organization feel comfortable in letting leadership know. Certainly, in the event if that data breach is around human error.
Opening communication trust while augmenting visibility throughout the whole organization. Any further recommendations on that?
Jonathan A.: Sure. Create a steering committee comprised of executive management and key team leads to review and assess current security risks. Members might include leaders from the IT, finance, PR, marketing, legal and operations departments. Regular steering committee meetings can make sure there is an ongoing adherence to security policies. If a new security policy is created, department leads who are part of the steering committee can make sure their teams implement the policy.
Richard H.: That makes sense. Finally, our fifth point that we came up with, promoting agility and adaptability. Your Information Security Governance, while establishing some solid policies using guidelines must be open to adaption to fit with the changing digital landscape. It cannot be something that’s just put in place once, looked at once and then essentially forgotten. It’s just a checkbox. Yes, we have this. It’s got to be something that is continually looked at and adapted, something that’s flexible and there should certainly be changes. We recommend throughout the year. How would you recommend, Jonathan, an organization going out doing that?
Jonathan A.: An organization should monitor and measure the overall strength of their security policies. Questions to ask including what we have listed here. What’s working? What’s not working? What can we change? An IT security employee may have hands on experience and insight on the effectiveness of a particular security policy. If leadership is receptive to hearing a team member’s feedback and suggestions, there should also be agility in making those changes.
Richard H.: Already we’ve covered, I think a lot of ground here in the 20 minutes that we’ve both been on the phone. It’s important to note that successful Information Security Governance is a work in progress. We cannot stress that enough. While every company may have its specific needs, securing it’s data, that’s a common goal for all organizations. Emerging technologies and cyber threats will continue to evolve. Data breaches, security incidents are going to happen. We’re going to hear about them more and more. Rather than scrambling after security breach, organizations must put proactive and strategic Information Security Governance at the forefront. That means creating a budget or a bigger budget for this. The goal for companies should be to deliver Information Security and to reduce adverse impacts and risks to an acceptable level. Because threats and incidents will occur but with strategic Information Security Governance plan in place, you strengthen your organization’s security posture. While you’re doing that, you’re protecting your valuable information.
Jonathan A.: Technology can play a key role in insuring your company data is securely stored, distributed and accessed. The Diligent Board Portal has a number of security measures in place to ensure that information is safeguarded. Lean on Diligence to meet your Information Security Governance policies. Security company’s data, data within our platform is protected by physical security best practices and encryption. Or Information Security process will have been audited for 10 years after this upcoming annual review period and Diligent is ISO 27001 certified for its Information Security management system. We often subject our data security to rigorous third-party security testing.
Keep content within the group. Executives only receive content relative to their Boards, committees or functions. When permissions can be fine tuned to the user and document level, you know you’ll be protected from unauthorized sharing outside of the appropriate group.
Go mobile with offline capabilities. When users are offline, they can view content, sync to a device, and make notes. Digital documents are encrypted within the security of the Diligent system and access can be limited to specific devices.
Choose your data hosting location. Customer data and Diligent Boards is hosted within data centers where Diligent owns and operates the infrastructure. Customers can host their Diligent Board site in North America or Europe. The following available locations are mentioned with the primary location and the site’s respective secondary location thereafter. For North America you have two options, Quebec, Canada with backup disaster recovery to Ontario, Canada and New Jersey, United States with backup disaster recovery to Ontario, Canada. In Europe, the primary site is in Frankfurt, Germany with backup disaster recovery in Dusseldorf, Germany.
Control versions anywhere. Meetings and documents are under the strict consensual control of the customer administrator who creates content and manages who views it. After the meeting, final versions can be archived.
Richard H.: Jonathan, I’ll just add to that a couple of best practices that I see with our client base that they use. First one I would mention is device organization. A common question that I hear from potential clients when they’re evaluating Diligent Solutions is, “What happens if one of my board members or executives loses their iPad, for example? How do we know that no one’s getting access to that data? What happens if they write down their credentials on a piece of paper, that falls into the wrong hands?” With Diligent, you can have each user register their device. They enter an eight digit pin. That’s generated to them on the back end, communicates over the phone via Diligent support person. They enter that. At that point their device is registered. For future logins it’s the typical username and password or thumbprint if you’re on an iPad. It means that the user can only log in with their correct credentials on that preregistered device. Therefore, if their correct credentials even fall into the wrong hands, someone is unable to login with them. They would need to correct device as well.
The second thing that I would say, particularly for the more security conscious companies that we work with, there’s certainly been a higher demand in the last 12 to 18 months of organizations wanting to foster better collaboration amongst their Board Members and their Executive Team. There’s a worry there because today it’s happening through email, often free personal email services like Yahoo and AOL even for independent directors and often text message as well.
We’re seeing quite a few of our clients utilizing the Diligent Messenger products. For anyone on the call that’s unfamiliar with it, it’s essentially a secure alternative to email or text message. You can use it on your phone, iPhone, iPads or web browser. It will integrate with Diligent Boards as well, your same meeting groups. The overarching benefit is from a security standpoint where you can ensure that 0% of any confidential data, communicated between board members and executives is happening insecurely. It stays within the secure Diligent environment and those messages are in permanence, unlike with a text message or an email. You can apply these messages to your data retention policy. If you’d like them all wiped once a month or every two weeks, you’re able to do that.
If that’s a concern, if you think some of your directors or executives are communicating anything of a confidential nature via email or text message, certainly a product I’d recommend looking into. It’s very easy. Again, you can ensure that zero sensitive information or communication is happening insecurely.
At this point, I believe we have covered everything that we wanted to do. Thanks to Jonathan for joining us today. If you would like to learn more about Diligent, if you’d like to take a closer look at some of our solutions, we would be happy to oblige. If you’d like a personal demo, you can contact me, Richard Harrison directly at my number on the screen. I don’t believe my email’s there, but it’s firstname.lastname@example.org if you’d prefer to email. We’d love to hear from you and learn a bit more about your current Board Meeting process and communication tools for your leadership teams. Thanks for joining us and have a wonderful rest of the day.