Improving the information security policy for your firm can be condensed down to three simple steps. These are the most common problems seen with firms and practices across the country, and they're easy for you to fix.
1. Realize the prevalence of the cloud
It's very common for the people writing information security policies to not be fully aware of how widespread the use of the cloud actually is today. This is actually a problem for Bring Your Own Device (BYOD) policies.
To illustrate how common the cloud has become in our daily lives, here's a short list of common business activities that are done in the cloud without most people even knowing.
- Creating a document using Google Drive
- Backing up photos from your phone to your Google, Apple, or Microsoft account
- Backing up the contact list from your phone to any of the above services
- Creating a mailing list using Mail Chimp or one of the hundreds of similar services
- Even mobile payment systems like Dwolla and Google Wallet.
There are also many more, but these are some of the more common cloud services used by businesses. The most effective risk management plans will begin by addressing cloud-based policies from the very beginning when creating an information security policy.
2. Keep your policy as suited to the environment as possible
How many times have you been confronted with a lengthy legal document and simply clicked “accept” rather than reading the whole thing? This is common behavior and something you should keep in mind when crafting an information security policy. When possible, keep the whole policy short and concise and above all, tailored to your firm’s environment.
If it's not possible to be brief, at the very least you can include a table of contents to help readers navigate the document. This will allow them to skip directly to the portions of the policy that are most relevant to their needs and current situation.
Better still, implementing security policy automation will make it easy to implement the policy – even if some people don't read the whole thing. An automated system can alert employees when something violates the security policy or when encryption is needed. Some of these systems allow an employee to override the policy while logging the exception. Other systems allow employees to request an exception which must be approved by a supervisor when working on specific projects. These systems can offer as much or as little flexibility as your business requires.
3. Maintain watch over internal security issues
More often than not, internal security issues are more of a threat to your business than external hackers. Employees may inadvertently give unauthorized people access to confidential documents or systems. Ensuring that access rights are properly delegated is the first step. Additionally, no information should be given to anyone inside your financial institution without a tangible purpose. This helps to ensure that information is not accidentally misplaced or inadvertently shared. Getting this right can save you a lot of money on risk management.
Contact Garland Heart any time to discuss other ways to improve your firm’s information security policy.