Protection talks about security of information systems, protection from outside leaks of information and the confidentiality of the information. Protection also talks about auditability.
Where do I start with protection – I guess at the beginning
First of all there needs to be a corporate policy on information and it should have a few key things in it such as “we are all going to do this from the top down”, “there will be consequences if you don’t do it”, “we will audit to see if it is happening” and last but not least there will be a mandatory training program on what we expect. I see all too often that security is left in the hands if IT which works for network access and infrastructure security but in my opinion we can’t expect the help desk and IT staff to know what needs to be protected from whom or who should have access to what parts of the information in each business unit of the corporation. In many countries like Canada we also have to deal with privacy issues and of course this applies to healthcare and many other types of information. Now we have another layer as well with the advent of social media and BYOD (Bring Your Own Device) as prevalent as it is and the likelihood of the wrong information getting into wrong places.
Number 1 in the Maturity Model says that we are not doing anything and we are all over the map allowing users to decide on security. This is unfortunately where many small companies start. You will all agree that this would be a dangerous practice.
Number 2 talks about us having some policies that don’t go far enough and no training for employees. Just let me say again that there needs to be a policy with the important things in it and training on its use. By the way a policy should not be many pages long but in fact a paragraph or two and processes should spell out what really has to be done in detail so that we don’t have to change the overarching policy often or at all in future. In number 2 we are still allowing individuals to set security on their own.
Number 3 talks about us having an acceptable policy, some audits in specific places, well defined centralized access controls and our employees trained. Remember that 3 is where you should to be at a minimum.
Number 4 speaks to our having systems in place to provide this protection. Back to our having an electronic solution in place again. It also indicates that we have trained our employees at this point globally and that we are auditing across the corporation to make sure everyone is towing the line and doing the right corporate things as they relate to information management.
Number 5 indicates that we have very little bad press related to information breaches, the board of directors likes what we are doing and brags about us, we are constantly improving over time and we actually look at our audit information for ways to improve or ask some business unit to improve their practices.
Compliance is next and I hope that everyone has a good plan to get to number 3 in the maturity model.