The information-first approach
There is a common misconception among civil society organisations that there is some objective set of measures that they should take to be ‘secure’. Many digital security providers encourage this by promoting audits as a way of gaining an understanding of your vulnerabilities. Those providers then recommend generic technological solutions to their clients. These have the benefit of being easily specified and deliverable within a well-defined time period and budget; however, they only offer the ‘illusion of security’: they are almost always inappropriate, and sometimes dangerous.
Our approach differs from the existing generic solutions. It is risk-based and information-centric. We focus on your information assets and the value and potential harms presented by them, rather than auditing device configurations and digital security practices against potentially-arbitrary standards.
You should be mindful that for an information security gap analysis and framework to be effective, it is essential that your organisation has the necessary:
- Staff member(s) with the delegated responsibility and authority for information security.
- Resources, particularly time, to dedicate to the process and any subsequent work.
- Recognition from senior management that they will need to support and be directly involved in the process for it to be a success.
We can discuss how best to proceed if one or more of these requirements are not currently in place in your organisation.
The process
We will complete a simple gap analysis and develop an information security framework with you that is grounded in tried and tested information security principles. The framework consists of an agreed policy and a provisional baseline.
The policy is a simple two-page document covering information security governance and implementation. The baseline is made up of:
- Information registry: Your organisation’s information assets, their value and potential harms, and the measures in place to protect them.
- Technology registry: The requirements and implementation of your organisation’s devices and online services.
- Document repository: All existing policies, procedures and other relevant documentation, if any.
- Priority queue: A prioritised list of the information security activities and projects that your organisation wants to complete.
To create these elements, we will take you through the following steps:
- Delivering a two-hour information security workshop to all staff.
- Creating the first version of your baseline through some or all of the following:
- Carrying out a document review of your existing policies, handbooks, etc.
- Running one or more workshops with relevant groups of stakeholders within your organisation.
- Conducting interviews with key staff with information security responsibilities, including senior managers.
- Providing templates for all the registries to complete with our designated point of contact within your organisation.
- Conducting a framework gap analysis and sharing our findings in a report and presentation to your senior management team and board, as relevant.
- Agreeing an information security policy with your senior leadership.
At the end of the process, you will have a clear understanding of where the gaps are in your information security framework and have begun to bridge them with the required registries and policy.
Next steps
The framework is a vital foundation for effective and sustainable information security governance and implementation in your organisation. Of the various elements, it is the priority queue that will help you decide the optimal ordering of activities to be completed as resources permit going forward. Your priority queue will include developing the measures to protect your information assets that present the greatest potential harms as well as procedures for specific circumstances relevant to your organisation, such as crossing international borders. These measures can include:
- Paper: Policies and procedures
- People: Staff responsibilities and practices
- Tech: Technology requirements and implementation
We can help you decide on what to focus on next and provide you with quotes if you require our support with any of these activities.
Understand the critical gaps in your organisation's information security governance and implementation, and bridge them!Click To Tweet