What is good practice? Directors' Guides published

There in no excuse for permanent secretaries and senior responsible owners to ignore “The Directors’ Guides to Managing Information Risk” published yesterday. Each of the eight guides follows the format a Churchillian “prayer”: “pray let me know on one sheet of paper …”

Each of the eight Guides is two sides of A5, with no unreadable small print.

They are the first product from the Information Security Awareness Forum produced with the help of IAAC , building on previous material which was also sponsored by BT (an excellent use of a fraction of the marketing budget of their security practice) .

The first of the three guides on process emphasises the need to put risk management programmes into business context as “positive contributors to the success of the organisation and not just another cost of doing business”. They must “Directly and demonstrably support each of the organisation’s stated strategic objectives (e.g. breed client confidence among the organisation’ client sectors), not just reduce the aggregate impact of information failures and security breaches”.

I was impressed at the way that the third of the three guides on organisation compressed what Director’s need to know about the relevent Regulation and Legislation onto two sides of A4.

The two guides on peoplehttp://www.iaac.org.uk/Portals/0/23176_DIAN_A5_PEOPLE_15_4.pdf issues: “Governance and Stuctures” and “Creating a Strong Information Handling Culture” are equally impressive.

Anyone can carp on what is left out, but those serious about wanting to sustain a reputation as being a safe organisation to do business, should begin by reading the guides and sending copies to their Directors and Senior managers.

They should then consider how well their current policies and processes fit the questions likely to be asked.

Some time ago I blogged on the Inflation beating cost of information security snake oil and suggested ten question (less 10% for budget cuts to cope with recession):for external Directors to ask before the next Board meeting:

1) Have you ever seen, let alone read, the organisation’s information risk (or information security, data protection or similar title), policy?

2) How long did it take you to read?

3) Could you understand it?

4) Did it complement the mainstream business operations and help achieve the objectives of the organisation – or did it get in the way?

5) Are all staff in the company informed of the policy, why it is important and what it means for them?

6) Are all staff trained/assessed in their understanding of the policy and how to follow it in their day-to-day jobs?

7) Do all staff (at all levels) know who to contact when faced with a problem that is not covered by the policy?

8) What are the company’s routines in the event of a serious problem and when were they last tested?

9) Are you content with the answers to the above?

In the light of the Directors’ Guides and the many meetings I have attended on this topic over recent weeks I would wish to add back my tenth “killer” question:

How do we decide who we trust?

– from the people we already employ,

– through those we might employ and those working for our partners, suppliers and contractors

– to those claiming to be from government. law enforcement, regulators or auditors who might demand access to our people or records

– let alone those bombarding us will e-mails or whose websites churn up when we use a search engine.

Despite getting sore feet yesterday from traipsing round Infosec before chairing the session on the case for a Police Central E-Crime Unit, I had little confidence that (m)any of those exhibiting could me find the answer.

This therefore remain the question at the forefront, not just back, of my mind as I spend the next couple of days preparing the papers for the forthcoming EURIM AGM when we will be discussing our forwad priorities, particularly how to help rebuild confidence in the Internet as a safe place to work, rest and play.