Every organization, especially those that execute transactions through the Internet, must consider information security as a priority in their business. Recent laws such as GDPR in Europe define rules that drive the implementation of security controls and data protection before nonexistent. The IT area is at the heart of this function, while others play a key supportive role, such as internal controls and, in particular, legal controls, which aid in the enforcement of external laws. On the other hand, all areas of an organization are responsible for managing the information asset, which is dispersed in each sector, and this dispersion requires continuous control.
Some common questions in this context: How should a security management system be structured? Where should it be started? Do I have to hire a consultant? Can I outsource the information security function?
In this scenario, having an effective information security management system is the first step for a company to align itself with best practices. This system must have at least three basic elements: processes, people and technology.
In processes, it is necessary to define an Information Security policy, which will clearly expose the principles, the general rules, and outline a basic structure of procedures, standards and controls. This policy must be widely disseminated, internally and externally, and undergo periodic reviews in light of changes in the external scenario in which the organization operates.
The main element of an Information Security management system is people. Therefore, there is a need for a permanent awareness campaign for all employees and agents who interact with the team. Surveys show that the greatest security deficiency still lies in the mistakes and deviations committed by people.
Last but not least, technology. Currently, the number of technological solutions available is vast, which requires great care, from the market analysis phase to the identification, selection and implementation of tools.
The tendency is for technological solutions to be increasingly advanced to counter threats, which are also constantly evolving. This requires frequent assessment of the current management system to identify vulnerabilities and establish actions to eliminate them.
Ideally, the Information Security function should be positioned in the company as a strategic area, with direct reporting to the chief executive, but it depends on the size and culture of the organization. Traditionally, the function is embedded in the IT area.
Within this model, the IT area must play an active and up-to-date role with the market, which is not always an easy task. One of the most critical factors is to present executives with the benefits of investing in security solutions. It is a complex activity, which requires a strong partnership with auditing and internal controls, so that together they define a plan of action and which goals are pursued. Choosing a critical process is another very important step. Identifying the most problematic applications, defining and implementing protection solutions may be the initial actions.
Increasingly, organizations are connected to each other and increasingly dependent on IT. Security is a priority function in companies, and has been increasingly charged by consumers and users alike. Therefore, it deserves a privileged management focus.
Finally, it is important to emphasize the need for companies to have at least one professional with this responsibility, who will need to require constant executive support for the efficient execution of their duties. Outsourcing or outsourcing of the function may be an alternative, however it should be analyzed in detail, so as not to compromise the quality of the management model.