People Centric Information Security – Part V

Interpreting information is a subjective process, shaped by individuals’ unique perspectives. This can present a significant challenge for organizations striving to achieve their goals. The greater the reliance on individual perspectives for accurate interpretation, the higher the risk of misinterpretation. This complexity makes it challenging to maintain processes to work efficient and, consequently, to meet organizational goals and objectives.

Processes are like riddles with countless pieces of information, processed by various people. Unravelling these riddles all starts with capturing and understanding the information streams within your organization. And once you understand them, make sure there is no other interpretation possible than meant by the owners of the information. By taking out the abstractness, it is possible to determine logic (security) requirements that apply to each information stream. People will understand them and work accordingly because it is clear why these requirements exist.

Seems nice right? Here’s the catch; it’s no walk in the park. It means getting people involved and perform actions that might never have been involved and done before. It means making everyone aware and getting them to act based on the following facts:

1. the security department (with the CISO at its head) is responsible for the quality of the information security process,
2. every information owner is responsible to execute the information security process on the information streams they are responsible for,
3. everyone that processes the organization’s information is responsible to follow the outcomes of the information security process.

To help understand how to realize this for a specific organization, I visualized the information security process and created the People Centric Information Security Management Framework (PCISMF). Figure 1 represents this visualization:

Explanation Figure 1

In this part of my blog series, I will focus on the part of the process without the overlap of ‘Cyber Security’:

These first three steps set the requirements for the secure processing of information. In these three steps an organization needs to determine the answers to the following questions:

Apply information governance.

1. Who is responsible (the owner) for what information?
2. Which people process information for each individual information owner?

Capture information streams and analyze impact.

1. What tasks for which business functions do those people fulfil to realize the progress of which business processes?
2. What is the expected impact on the organization when the information of the individual owner becomes:
   • unavailable,
   • incorrect/corrupted,
   • available to people that shouldn’t have access to it?

Determine impact probability and establish controls for compliance.

1. What is the probability of the actual occurrence of the impact?
2. Which measures are justifiable to mitigate the probability?
3. Are these measures in place and do they work according to expectations?

Result

The result of these steps in the information security process establish insights and input for:

1. Policies – describing the way the organization expect how to execute processes.
2. Controls – establishing controls to mitigate risk and safeguard compliance.
3. Terms & Conditions – establishing the conditions that apply to the organization¹.
4. Procedures – setting up specific workflows according to which processes need to be executed.
5. Standards & guidelines – helping people to understand how the organization expects them to operate regarding specific situations.
6. Contracts – making sure the conditions under which an organization enter into contracts are in line with expectations.
7. Control measurements – establishing how to measure the correct performance of business processes and business functions.
8. Audits – checking controls and managing gaps, making sure 1 to 7 are in line with expectations².
9. The next steps in the information security process. The steps where cyber security (safely processing information with technology) starts. I will elaborate on these steps in my next blog.

Please note that results 1 to 8 do not only focus on the secure processing of information. They also focus on the how to come to the best possible way to perform the tasks needed within business functions. Next to realizing the secure processing of information, this also realizes higher quality regarding the way people perform these tasks. As described in the second blog of this series, you need to build information security right into your processes. The steps in this information security process realize just that.

Conclusion

There needs to be a shift in the way we think about responsibility regarding information (and cyber) security. Information governance is the first step of the information security process. It is a prerequisite to realize the execution and implementation of information security in context of a specific organization.

It is a prerequisite because security requirements need to be established from an organizational point of view. This is done by having an information security process in place that, next to assigning responsibility to information owners, helps them to carry out and take this responsibility. An information security process that relates security requirements to the way people process information for the progress of business processes and business functions. The result is the injection of security requirements into the foundations of these processes and functions.

Upcoming Blogs!

In my next blog I will zoom in on the next remaining steps, where cyber security starts, and explain how the translation of the first steps are input for these remaining steps, and how this is a continuous process.

In later blogs I will zoom in on how to manage the information security process by creating an Information Security Management Center (ISMC). I will also describe how I, in my role as a CISO, applied the PCISMF.

1. ↩︎
2. ↩︎