With many GDPR programmes in place or in the throes of sign off, there are many tasks which will need to be undertaken in the next 15 months to achieve these programmes.
It is interesting to see the rise in GDPR posts in the social media world, and the many video clips, blogs and articles being written on the subject. In this blog post, I will not be focusing on GDPR, although it is a subject which GDPR will affect – and indeed some of the recent information shared by the UK ICO has a significant part to play in how we view information security policies in the future.
A recent speech given by the Information Commissioner, Elizabeth Denham, on GDPR provided a very insightful view on the need for businesses to move on from a mind-set of compliance to one of commitment and defined her view on the importance of accountability.
When it comes to reviewing information security policies in the coming months, if businesses adopt this strategy, there is the potential for some significant updates and business messaging which could be considered.
Coupled with the best practice advice offered in the compliance and governance programmes already in place, businesses have the opportunity to refresh their policies and underpinning policy and standards frameworks to mature these documents.
When approaching this subject, organisations tend to get caught in the complexity of their business and purely focus on the wording that will meet internal and external auditing requirements, compliance lead.
This will then be approved, issued and included in internal awareness training.
When considering maturing the approach to the information security policy and under pinning policy framework, there are many things NTT Security can do to support the move towards commitment.
- Provide the executives and their leadership teams with training. Some GDPR options you may consider are: reviewing the presentation given by the Information Commissioner with them, discussing other topics with them including the need for transparency and individuals’ rights under the new regulation. And allowing time to discuss commitment versus compliance and agree on the businesses stance.
- Consider the benefits of writing a “how to write a policy guide”. Such a document will contain the preferred wording of your business – for example when stating a mandatory statement “must is the preferred word”. When creating this guidance, you can state appropriate wording to support achieving compliance or, as stated above, you have the option of moving towards a strategy of commitment. In the event that your choice is to move towards commitment, you are likely to find that the wording used will be subtly different.
- Collect feedback from your employees. Policies tend to be a pretty dry subject matter and the awareness training suffers as a consequence. Is there a different way of communicating them or different media which can be used to support the awareness training activities? And listen to concerns raised around the practicalities of implementing the policies to avoid potential bypassing of controls in employee work practices.
Other factors to consider include the Internet of Things (IoT). What is allowed on business owned devices? Can you load the app which reports on your heating onto company assets for example? Businesses should also consider BYOD policies for personal devices which have connections to a variety of IoT devices, which again may affect the security posture of your business.
In summary, albeit a new regulation or a deeper understanding of the issues surrounding information security, writing effect policies, measuring and maintaining them, will form a key part in assuring your stakeholders that you are committed to protect any information you are privileged to be given in order to conduct your business.