Call us on 03450 21 21 51

5 questions you should be asking to ensure your business is taking information security seriously
The SRM Blog

5 questions you should be asking to ensure your business is taking information security seriously

Ian Armstrong

Written by Ian Armstrong

28th February 2020

Share this article

incident response

Who is responsible for information security within your organisation?

The simple answer is: everyone. While this may seem like a simplistic response, it is crucial that every organisation understands the importance of building accountability into every role – from top to bottom. While an IT or Infosec Team will take the lead on designing, implementing and maintaining an information security policy, adherence to those policies requires buy-in from every team member.

If you are a senior manager or board member within your company, you may not be directly responsible for implementing the detail of a company-wide information security plan. You do, however, have a duty to ask pertinent questions, provide support and advocate suitable resource to ensure that information security is correctly scoped, regularly updated and fit for purpose. After all, in today’s digital age, the very future of a business depends on its ability to protect its digital assets. Without data security, a business is at great risk.

It all sounds like common sense but how do you actually know if your business is taking information security seriously? Here are some questions to ask.


1. Where is our incident response plan and is everybody in the team familiar with it?

Often the first hint of a breach will be discovered by an employee outside the IT and Infosec Team. In order to ensure that the response to a threat is swift and effective, every member of an organisation needs to know where to find the incident response plan and how to follow protocol. Asking your team if they are familiar with your incident response plan and where they can find it will provide a clear indication of whether your business is taking information security seriously.

For organisations without an in-house cyber security resource, the first port of call in the event of an emergency may be an external incident response team.


2. When was our cyber security risk register last updated?

Senior managers need to know the exact nature of the cyber risk they face and make informed decisions about how to reduce exposure. The cyber security risk register ranks the risk to the organisation and it is up to the senior management, or those with operational accountability, to discuss and prioritise those risks and work out a prioritised plan. Some risks may be acceptable while others need to be mitigated immediately.


3. Do we have an overarching infosec policy and are we doing enough to adhere to it?

An information security policy is made up of a set of rules designed to ensure that all users or networks within an organisation abide by the protocol around the security of data. Typically, the policy prescribes the level of access which is dependent on the seniority or remit of an employee.

If the answer to this question is, “No”, it’s important that you get one in place quickly. It may well be that there aren’t the in-house skills to get a comprehensive infosec policy drafted effectively, in which case bringing in outside expertise could be necessary.

Find out more about how a VirtualCISO can provide a flexible and scalable resource.


4. When was our privacy policy and acceptable use policy last reviewed?

A privacy policy is a statement or a legal document that outlines some or all of the ways an organisation gathers, uses, discloses, and manages a customer or client’s data. It is a legal requirement. An acceptable use policy is not required by law, but it can be an important tool for an organisation. By outlining the constraints, practices and disclaimers that users are expected to agree to, an acceptable use policy can reduce the liability of an organisation.


5. How do I know if our technical security controls and review schedule is fit for purpose?

Technical security controls fall into three categories: preventative, detective and responsive. Security controls themselves include safeguards, countermeasures, hardware and software. These must be regularly reviewed and updated for them to be fit for purpose.


Final thoughts

A robust information security strategy safeguards the confidentiality, integrity and availability of an organisation’s data and there are legal and regulatory requirements that compel us to ensure this is done effectively. A carefully crafted information security strategy can reduce the risk of a data breach while an Incident Management plan will ensure that there is a clear plan of action for responding in the event of an attempted attack. Demonstrable security also benefits customers, stakeholders and third parties, enhancing business relationships and reputation.

A good information security plan should be regularly challenged both internally and externally. Not only this but it is advisable to perform tests and exercises (preferably with the support of external expertise) to explore and exploit any gaps so that remedial action can be taken, whilst control is still on your side.


To discuss how SRM can provide the expertise and professional input to help both senior team members and IT departments develop and manage an effective overarching information security strategy, contact or call us on 03450 21 21 51.

Back to top