News / Security /

Turn your IT security policy into a ‘living’ document

A policy will not be successful in isolation; it needs the buy-in of all organizational executives, all the way down to the individual employee level. It’s about creating a culture that takes security into account as part of each person’s regular job.


For companies considering how strict to make their security policy, consider that changes in legislation have brought mandatory data breach reporting to Canada. Administrative penalties surrounding these breaches can be assessed upwards of $100,000 per record.

So when it comes to personal information, there are several areas that should form part of your security policy: Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context.

Special attention should be paid to instances where personal information may be at risk. Not all press is not good press, and media attention from this type of breach could bring a tsunami of risk to your business brand and consumer trust.

Organizations with a significant amount of PII (such as telcos and insurance companies) could be ruined by a significant data breach. Ashley Madison is an example of a business that is highly unlikely to survive its PII security breach.

My advice is to build a security policy that best presents the required behaviors for users and administrators to achieve the desired protection, security and availability objectives needed to secure your business data. But, due to the changing methods of cyber-attacks, that security policy should be considered a “living” document and needs to be updated regularly.

The scope of such a policy includes information stored on computer tapes, disks and resident memory, as well as information being transmitted electronically. And the policy must apply to all business functions within an organization, including any subsidiaries.

Everyone in the business — from employees to consultants, partners, vendors and contractors — should be required to safeguard your corporate information assets. That means maintaining privacy consistent with legislation and business operating policies, as well as vendor contracts, copyrights and patents.

A policy will not be successful in isolation; it needs the buy-in of all organizational executives, all the way down to the individual employee level. It’s about creating a culture that takes security into account as part of each person’s regular job. The most brilliant computer information security group will still fail if they can’t get buy-in across the organization.

Whereas overall corporate security is typically directed by the chief financial officer, computer information security initiatives are typically directed by the chief information officer.

A corporate security executive should be appointed, who is responsible for directing the development, dissemination and periodic revisions of all supporting documents used for security purposes (such as guidelines, procedures and bulletins).

The role of a Computer Information Security Group is to manage the implementation of the recommendations made by the corporate security executive. Each computer information system should have a defined owner, responsible for establishing the value or importance of information assets and classifying the information as per the organization’s Information Protection Guidelines (this is another document that all business should have).

Want to learn more? The Government of Canada and Public Safety Canada have a number of cyber-security resources designed to help businesses understand the risks they face, and provide practical advice on how to better protect their business and employees from cyber-crime.

You can’t predict cyber-crime, but by being proactive you can mitigate or even eliminate the risk of one.

Comments are closed.