[Adam Whittington] I continue to be surprised by the lack of attention business management places on information security auditing.
Most businesses have ‘IT people’ or an ‘IT company’ to look after their network security, security patch updates, and anti-virus updates - and most businesses have a financial audit that covers the assessment of internal controls.
It's your responsibility...
As a business manager, it is your responsibility to protect your company’s information assets from all threats.
To ensure that as a manager you are carrying out this responsibility, the business processes that keep company information safe and secure, require both a consolidated and systematic evaluation to fully expose your true state of affairs.
This is a separate and specific process that we term an Information Security Audit.
This applies to small and medium size business...
Business management should discard the common misconception that Information Security Audits are reserved for large companies. The value of information is not dependent on the size of the custodian, but its use, purpose and accuracy.
South African legislation and good governance practice clearly places the responsibility for the protection of information in the hands of business management.
Start right - tips for good information management practice...
Ideally you would want an Information Security Audit to be independent. However, your company may not have the budget or you may not know how to adequately prepare for an Information Security Audit. Don’t let that stop you from applying sound IT management and governance practices.
Here are three considerations for getting started – cost effectively:
Define information security standards
Business management sets the information security standards based on their approach to risk and legislation requirements. Define the security risks your company is not prepared to accept.
Incorporate key groups
There are probably a variety of groups, or departments within the company that have some responsibility for information security. Identify these departments and people. Include HR, IT, Finance and Legal - and form a security group to start taking responsibility.
Choose the right Managed Service Provider
Your Managed Service Provider (MSP) should not only provide technical expertise, but should also possess proven sound information security knowledge and expertise. Look into their reputation and history with other companies: Are they an established knowledgeable service provider? Are they reliable and approachable? Do they understand the business environment beyond IT? And do they offer additional services that provide you with tangible insights that will help you?
Your MSP should be your most trusted business partner and should assist you with setting and enforcing company security policies, conducting technology and penetration testing, and exploit potential vulnerabilities.
Established in 1991, MMC provides organisations within the small to medium business sector with a variety of flexible, outsourced IT services. With solid implementation experience across a wide range of leading IT products, we provide robust, reliable solutions that are tailored specifically to the individual needs of our clients.