An information security management system (ISMS) is a structured approach used to better manage your company’s most critical data and information. It can be achieved by adopting an ISMS standard like ISO 27001 or NIST 800-53 and through a certification process. But integrating an information security management system at your organization can be fraught with issues and complexities. Below, we’ve outlined five issues you should avoid while building out your ISMS.
1. You can’t identify your most critical data. This is the number one issue companies face when they set out to create an information security management system. Companies tend to have a difficult time identifying which data is most critical and why, because doing so requires a massive effort from many different areas within the company.
For example, not all critical data is housed within a company so you must figure out who has access to it. What’s more, once this critical information is identified, the company must determine how to build proper controls that will reduce or eliminate the risk of that data ending up in the wrong hands.
2. Policies aren’t in place for protecting sensitive information. If you expect your employees to act a particular way in regards to your sensitive information, you must have policies in place regarding acceptable use. These policies should answer the following questions:
3. Employees aren’t trained in company policies. For your information security management system to work appropriately, you must build a culture of cybersecurity from the top down. Top-level executives must send the right messages about information security in order for other employees to take it seriously — and your internal training processes must go hand-in-hand with that.
4. Technology isn’t implemented for your policies. For example, if your organization has a strict policy against employees accessing sensitive information on insecure Wi-Fi networks, you need to have technology in place to prevent employees from doing so. You can’t simply trust that all employees will pay attention to the policies you’ve created. Having behavioral analytics tools can help you identify when employees are using data outside of their normal activities, which may indicate that either the employee is doing something questionable or their credentials have been compromised.
5. You can’t limit vendor access to sensitive information. It’s important for your third parties to have the access to your data they need in order to do their job. But controlling the amount of sensitive data and network access your third parties have is critical in creating a functional information security management system.
See Also: Vendor Risk: 1 Issue That's Too Critical To Overlook
The problem with information security management systems like ISO 27001 and NIST 800-53 is the sheer size and utter complexity of the frameworks. Most practitioners simply don’t have the time or capacity to get through them — and if they tried, they could be in the weeds for a long time.
The more important question to consider for anyone wanting to build an ISMS system is where their valuable data is located and how they can put the correct safeguards in place to protect that data. This seems to be the questions that far too few companies are asking! So before you try to stick to a framework, be sure you have a very good high-level understanding on information security risk and its importance to your organization.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469