Recommendations
Information security at Data Systems Solution will not be achieved by installing advanced technology alone. Rather employees are an important part of the security process. The performance of security technology greatly depends on people using information systems. The implementation of security measures involves developing the necessary skills for employees. Establishing information security culture reduces internal threats to information security. Changing information security culture might face resistance since employees are used to the existing culture. Data Systems Solution will implement the following strategies to ensure that information security measures become successful in protecting the company’s information systems.
Top Management to Support Culture change
Organization culture within the company will begin with the top management. The goodwill by the management to have a good security framework is essential to the success of information security. The executive managers in the company should appreciate the importance of information security and consequences that the company will face if a data breach incident occurs. Since the people at the top of the company are responsible for making crucial decisions and allocating resources, their support is crucial for the success of any information security measure. They will be leading information security initiatives at the company.
They should allocate enough resources to information security initiatives. Information security requires a significant amount of resources. Those responsible for information security require resources to purchase hardware, software and undertake training and awareness programs. Thus, in every financial year, the top management should approve budgets for information security. It should be the company’s tradition to have an information security budget for every year.
The executive managers should also lead by example. They should not be treated in a special way when it comes to security protocols. Thus, Data Systems Solutions will ensure that security protocols will apply to everyone including executive managers. Access to the information systems by managers will be controlled using passwords and two-factor authentication. Managers will not reveal their password to anybody even their secretaries. They should also preach about information security. They should talk freely about the importance of securing the companies information systems and encourage those they lead to adhere to the security protocols.
Include everyone in the Security program
Since the organization is made up of several departments with different sets of employees, there is a need to include everyone in the company in the security program. All employees from the top manager to the cleaners should be part of the program. To include everyone in the security plan, the company will implement the following steps. First, all employees will be educated on the importance of the security program. No one is insignificant. Secondly, different categories will be educated on their responsibilities towards securing the information systems and what they are expected to do always. Again, employees will be involved in the development process of the security program. They will have their opinions considered. There will be a channel for everyone to communicate their concerns on the security plan.
Since some security measures such as physical access control cut across the company, there should be a collaboration between employees in different positions. For example, security personnel will have to call the front office to confirm the details of visitors before they can allow them to enter the company’s premises. Again, the occupants of every office will be responsible for locking their respective office doors. Such collaboration ensures that the system is watertight. If an unauthorized person succeeds to pass the security check, they will not gain access to specific offices since they will be locked.
Additionally, the security program should be diversified to accommodate all employees. Since employees have varying needs, the security program should put in place measures that meet everyone’s needs. Security warnings for employees with hearing impairment will be presented as text rather than using voice warnings. For employees with vision problems, security alerts will be presented invoice form. Employees will be allowed to set their passwords that they can remember easily so that they will not need to write them somewhere as long as they adhere to the set protocols for setting a password. By doing so, employees with different abilities to remember things will be comfortable in using passwords. Passwords should not be imposed on employees since some will feel intimidated especially when they have difficulties remembering longs texts.
Security belongs to everyone
In many companies, it is perceived that information security is the responsibility of the IT department. But in reality, security belongs to everyone. Thus, Data Systems Solution will instil the concept that security belongs to everyone in the company. The position of employees will not matter. To instil the sense of belonging, individual’s opinions and needs will be considered in developing the security program. The company’s vision and mission will be revised to align with security culture. Through awareness programs, employees should understand that security is not negotiable.
People in top positions will be speaking about the importance of security even if their positions are not related to information security at all. Every meeting within the organization will have the main speakers talk about security for a few minutes. Conversations about security should be continuous. Through awareness, all teams will understand basic concepts and security procedures. Apart from posters that will be placed at the company’s main points and in every office, leaflets will also be distributed frequently to all employees within the company.
Additionally, monthly newsletters about information security will be produced and shared every month. Furthermore, other awareness and training mechanisms will be employed to increase the levels of awareness. The first method will be training sessions. All employees are required to attend at least two hours of training every month. Professional instructors will facilitate the training and will always take place within the company premises. For those employees who cannot attend the training sessions, they should enrol to online training on the same.
Secondly, the security officer at the company will develop electronic articles on security that will be distributed using emails, and social media platforms. Since we are in a digital world, social media is the ideal channel to share security information. Whenever a security-related article is posted on the company’s website, a link will be shared on social media accounts. Facebook and WhatsApp groups will also serve as channels for sharing educative materials. Lastly, messaging will also be used to increase awareness. Almost everyone in the company owns a mobile phone. Security alert messages will be sent to employees frequently. Specifically, any time there is new security information to share, messages will be sent first.
Secure Development Lifecycle
All applications that will be developed within the company or purchased from software developers will have to incorporate security measures from the beginning. Every software that will be installed in the company’s computers should conform to specific security protocols set by the company. First, applications should have to meet security requirements. For example, applications should have a method of controlling access to them. The applications should use passwords to authenticate users. Secondly, software and applications should have the capability to model threats. This allows them to detect threats and should have a way of countering risks or at least be compatible with common security applications. Lastly, any application that will be installed should have been tested adequately to measure its level of vulnerability to attacks. The information security officer at the company will be responsible for approving software to be installed within the company’s information systems. Since Data Systems Solutions does no develop its applications and software, it will rely on the security officer to advise on the secure applications to be installed. The officer will inspect the security of each application before it can be introduced in the systems. The officer will be involved in any procurement process of technology products.
Create a security community
The security community is the connection between different groups of people within the organization. At Data Systems Solution, the entire employee fraternity makes up the security community. The creation of the community brings everyone on board and eliminates the concept of us versus them in the company. The focus of the security community will be to achieve secure information systems. The community will comprise of security advocates and sponsors. The advocates will encourage others to adhere to security practices. They lead the processes of securing the information systems. The security sponsors are top managers who give direction to information security. There are also other members of the community who are not passionate about security but understand the importance of information security. The community will have a yearly program where the bright minds from each category will have a chance to share their knowledge and skills.
Implement a Reward System
Data Systems Solution will implement a reward system where the best performers in the security field will be recognized and rewarded. As discussed earlier, all employees will be required to undertake a mandatory training and awareness course. Those who complete all the sessions successfully will be recognized and given a certificate to show their achievement. The courses will include short quizzes and exams at the end, where top performers will be given a reward of cash. By giving top-performers cash, they will spread the message to other employees. They will always tell a story about how they received money for taking a security course. Thus, they will help in spreading awareness and help the company to pass the message on how much the company values information security. Their stories will be a motivation for other employees to take seriously the awareness and training courses. Although they will be learning intending to get rewards, the knowledge will be embedded in their minds and they can easily remember to put them in practice.
The reward system will also consider employees who adhere to secure practices always. Information security officers will be tasked to formulate a way to award points to employees who adhere to security best practices always. Employees who accumulate the highest points will receive cash rewards at the end of every financial year. By rewarding those who strictly follow security protocols, it encourages all employees to always adhere to the protocols and will communicate the importance of information security to the company.
Make security training engaging and fun
Commonly, security training is deemed boring and less fun. During training sessions, there will be open discussions, where participants discuss issues without fear. Fun events should also be incorporated into the training process. A security game will help warm up participants before a training session. During the security training sessions, carton pictures can be used to explain security aspects. Some training sessions may involve watching a movie about a security breach and having a discussion around the movie. This way, participants will fill involved in the process.