12 February 2021
Drive Security Maturity With An “IT Road Code” For Your Organisation
Welcome To Our First Newsflash Of 2021
Significant changes in working arrangements have occurred for many people during 2020. In the last 10 months the COVID-19 pandemic drove an increased reliance on technology by organisations in order to ensure employees and customers could function through a very disruptive period.
When announcing their most recent quarterly financial results Microsoft CEO Satya Nadella was quoted as saying - "what we have witnessed over the past year is the dawn of a second wave of digital transformation sweeping every company and every industry.”
In moving to adopt or adapt technology it is important to continually re-assess processes, procedures and technology controls to mitigate against cybersecurity risks and threats. It’s also increasingly important to recognise and focus on the role that people play in security risk management and exposure. Plenty of organisations have experienced pressure in the short to medium term on the IT operations front, which makes it very challenging for an already resource constrained IT team to maintain any consistent focus on developing strategic and proactive initiatives that drive long term programmatic IT security improvement.
The uncomfortable truth is that Human Factors are ultimately the weak link in “business as usual” situations, as a result organisation who should readily be able to demonstrate a degree of security maturity are often very exposed. In the current environment, where business is not “as usual,” the level of cybersecurity risk and exposure has increased as users get to grips with using new technology and adapting their work practices.
Your “IT Road Code”
The best place to start improving your security maturity is to build a solid foundation of comprehensive IT Policies that establish common standards for operational system use, and also set a solid foundation for effective control of risk as part of your Security Maturity Model.
By creating this organisational “IT road code” users know the guidelines and rules of operation, minimising accidental data breaches and unnecessary security risks. The main objective of your “IT road code” is therefore to protect corporate systems, and maintain data confidentiality, integrity and availability.
A comprehensive suite of policies will assist with the practice of good information governance upon which procedures, processes and informed technology investments can then be made.
Develop, Deliver, Maintain
Many organisations have opted to carry out policy development work, and then try to deal with the ongoing management of them, in-house. This approach has had limited effectiveness primarily because organisations don’t have the required resources in place to do such specialised work.
Some questions to consider when using in-house resources to develop, deliver and maintain IT policies -
- Do we have someone in the team that can write policy content in plain English?
- What is the appropriate level of policy content for our organisation?
- Is our existing policy content relevant, based on the technology we are using or now adopting? Who do we need to provide policies for - users, managers, technical team members, contractors, directors?
- How do we align policies with standards, best practice guidance and legislative requirements? Who else in the organisation do I need to engage with for input on this project?
- What is the timeline to start and finish drafting, reviewing and approving policies?
- Is there an agreed approach for delivering the finished content to the wider organisation?
- Once developed who will deal with changes to policy wording if the in-house author leaves, or our business requirements, technology choices, or standards change?
- What is the real cost of conducting this exercise in-house?
A Proven Alternative
Policy Management as a Service (PMaaS) is designed to assist organisations develop, deliver and maintain a comprehensive suite of IT policies tailored to their specific business requirements. A typical PMaaS project can be completed in 8 weeks (elapsed timeframe) and incorporates a 2 day workshop to facilitate and stimulate discussion between stakeholders.
All our policies are mapped to a range of international standards and best practice recommendations such IS27002, ISO27017, PCI-DSS, ASD Essential 8, to name but a few. A number of additional supporting elements are provided with the service including a range of templated procedural forms, security awareness videos, a glossary and topic index. A key element of the service sees Kaon Security provide ongoing assistance to keep all the content up to date with changes in areas such as standards, policy wording, and terminology. This ensures our customers have ongoing continuity in terms of access to subject matter expertise, and are not reliant on finding someone in-house to keep IT policies relevant and up to date.
Lastly, we frequently get feedback from customers that their auditors view the system and its content in a very positive light.
View the latest video on our Policy Management as a Service offering
To view a selection of case studies – Click here
VPDSS Policy Alignment Package Now Available
During the last few months we have been asked to assist organisations with a selection of VPDSS related projects. Our Policy Alignment Package comprises of three parts, and is designed to help you navigate some of the key Victorian Government requirements for the consistent application of risk-based practices to manage the security of information
- Alignment Matrix - cross references statements within the Policy System that are aligned to the 90+ Elements of the 12 Standards documented in the VPDSS Implementation Guidance.
- Primary Sources Handbook - provides a quick way to access the specific and relevant content excerpts of the 25+ VPDSS Primary Sources listed in the VPDSS Implementation Guidance.
- 1 Day Remote Workshop - our consultant works through an exercise to align the current policy statement wording with the VPDSS Implementation Guidance. Any wording changes required will be recorded by the consultant and then applied to the customer’s Policy System.
Policy Lite System
Our Policy Lite System is for small to medium sized organisations and is focussed on delivering content suitable for an organisations general user population, the system contains 18 key policies that are mapped to ISO27002. As part of the customer delivery exercise one of our consultants facilitates an online workshop to ensure the content of the system is aligned with your practices.
To view a video on the Policy Lite System - Click here
Kaon Security Deliver The Goods To Ports Of Auckland
Ports of Auckland Ltd has been playing a vital role in the Auckland economy for 176 years. It is both New Zealand’s biggest import port, and its largest and most efficient container port.
Read how our Microsoft 365 Security Audit service assisted PoA to get a very good understanding of their risk position, and lower their exposure to any security threats whilst using the M365 suite - Click here for the case study.
Please note in addition to this report, Kaon Security supplies a separate folder of supporting information which includes media files of the areas identified as requiring review and remediation.