The auditors are comingBrows ruffle in anticipation for the days of inspection. Will we pass or will we fail? A statement heard in many an office in Britain. However, this should not be viewed with dread or at the very least a concern, allotted space in a few individuals' notebooks and calendars.
Any review of doctrine, policies and procedures should take place regularly and months in advance of an audit. Should you find yourself playing catch-up a full moon or two before an audit, it may be prudent to evaluate the origins of your compliance policy. That origin, the Scope of your Information Security Policy, will need to be updated on a regular basis for some reasons including changes in legislation/law, the introduction of new technologies and any specific policies requested by a client regarding the handling of their sensitive information.
Although not a detailed document in its compilation, the scope will provide a basic framework of what is required for attention regarding Information Security, from which more detailed policies and procedures can be compiled.
Of chief concern is the governance of data usage, performance and security of IT systems with documented proof that all are performing to the required levels. This is to aid the safekeeping of your company's data. Key departments directly linked with the implementation of information security policies should be engaged with to clearly define roles and responsibilities within your organisation so that in any crisis it is clear who does what, when and why.
To achieve a pass in the standard as mentioned, the bare minimum for each area is required. What a CISO or similarly titled individual should be looking for, is to surpass the standard in their mind three months before the audit occurs.
Whether it is Lexcel or ISO27001 accreditation that a firm is seeking accreditation, you must shape and form the doctrine to your company's needs and technical limitations to provide the best information security possible. Simply following the guidelines will not prevent a breach of your information systems.
Although implemented from the compliance team, true integration requires active engagement from all employees and departments involved in the processing and storage of client and company data. There are a wide variety of methods which may be employed to achieve this, from formal education modules on joining an organisation, regular bite-size updates via a firm's intranet to the production of relevant posters placed in clear sight of employees in order that ideas and concepts appear natural and familiar rather than unnecessarily complex and alien. You want your employees to buy into and be engaged with the policies you are producing.
As any General worth their salt will tell you, no amount of planning will provide complete protection from some element, major or minor, of failure. The same is true of information security. Despite the controls that may be in place, information in an individual's mind, an IT server or a written document (the list is not exhaustive) are all susceptible to the risk of a breach. Therefore, the best form of protection in such instances is to compile a series of contingency plans dealing with various issues which may affect the running of your organisation.
It is paramount that as well as implementing such contingencies, your employees are to be well versed in the enactment of such procedures. They should also be well versed in the detection, reporting and enactment of any responsibilities they may have regarding such contingency plans that have been formulated.
It is good due diligence to record all attempted as well as successful attacks on your information systems.
On review of data about various incidents, it is possible to note trends regarding attacks about your information systems. Combined with any investigation, should it be necessary, a clear picture can be seen as to current and potential vulnerabilities.
At this stage, it is important to have thorough internal audit procedures where detailed reports are provided and should your technology allow, disk images of when incidents occurred to provide fine-grain analysis.