Clearly define information and cyber security roles and segregate responsibilities in an overarching management framework.
Options to consider:
- Develop a network of information and cyber security champions across your organisation to support the framework.
- Review the framework at appropriate intervals to ensure it remains up-to-date.
- Include your Data Protection Officer (DPO) on any relevant information and cyber security committees, boards or forums.
Set out your approach to information and cyber security in a policy framework.
Options to consider:
- Create procedures that support and provide direction on certain topics (eg physical security, network security, access control and asset management).
- Create system operating procedures that provide clear guidance on the correct and secure use of software and hardware assets which process personal information.
- Ask staff to confirm they have read and understood key policies and procedures.
Incorporate information and cyber security within a formal training programme.
Options to consider:
- Do a training needs assessment to understand at a role level what training your staff require, taking into account the information you process and the risks to security.
- Include information security in the induction process and refresh the training on a regular basis.
- Provide specialist training, where applicable.
- Ensure the content of the training is written by qualified personnel and approved by senior management.
- Keep records of completed training to evidence that you are meeting training targets.
- Include a knowledge check at the end of any training to test staff understanding.
- Request staff feedback on the effectiveness and relevance of the training.
- Upload the training materials to your intranet so staff can still access it on completion.
Assign responsibility for monitoring your information and cyber security practices and regularly report on these practices to an appropriate level of management.
Options to consider:
- Assign responsibility for monitoring information and security practices.
- Regularly report findings to the appropriate level of management.
- Set up a steering group or other forums where you can discuss information and cyber security.
- Share the minutes from the meeting with other established committees or boards.
Broaden your knowledge and understanding of new and emerging technology and the security threat landscape by interacting with external information and cyber security communities.
Options to consider:
- Become a member of an information and cyber security group or forum that shares relevant knowledge and best practice, such as early warnings of attacks and vulnerabilities.
- Rotate which cyber security staff attend cyber community events or workshops, so all staff benefit from new knowledge and continuing development.
- Regularly communicate common or increasing information and cyber security risks to raise staff awareness.
- Include common or increasing risks in regular refresher training.
Assess your information and cyber security risks as part of your risk management approach.
Options to consider:
- Assign responsibility for managing information and cyber security risks to information asset owners.
- Ensure relevant staff have sufficient risk management training.
- Assess information and cyber security risks before starting new projects.
- Do a data protection impact assessment to compliment your security risk assessment.
- Use both local and central risk registers to capture information and cyber security risks at all operational levels.
- Review and update risks on an ongoing basis.