Consultant and teacher talks about the importance of the Corporate Process
of Information Security
of Information Security
Consultant, professor and information security manager, Edison Fontes has a master's degree in IT and has CISM, CISA, CRISC certifications by ISACA/USA. Author of five books on the subject, his most recent work "Policies and Norms for Information Security", released by Editora Brasport, brings 30 examples of policies and norms for organizations. At a time of debates on the protection of information and processes in organizations, Edison gave an exclusive interview to the ABES Portal. Check out!
What is the most effective way for the company to map IT security risks?
When we talk about information security, based on the NBR ISO/IEC 27002:2013 Standard, we must consider 16 Dimensions that make up the Corporate Information Security Process. Risk management is one of these dimensions, as is the information technology (IT) environment. Each dimension is a set of controls focused on one aspect of information protection. The issue of information security risk management is so relevant that there is the NBR ISO/IEC 27005:2008 Standard, which deals exclusively with the topic of risk.
Therefore, I understand that the most effective (effective and efficient) way of dealing with the issue of IT risk and security, with the greater objective of protecting information, both in the digital environment and in the conventional environment, is to have a structured approach that consider all dimensions of information security.
I indicate that, first, we need to have regulations, within the Information Security Policy set, that define the scope for the risks to be considered. Then I suggest that the controls of Norm 27002 be based on and the risk analysis for the IT environment should be carried out. This is the best approach to address the risks to the IT environment.
How to manage and integrate security issues in the age of mobility, BYOD and cloud?
The themes of mobility, BYOD and cloud processing are important and reach all organizations. But the question is not how do I secure these themes. The question is: what security does your organization want to have? What security strength is right for your organization? And attention: these answers are not given by the IT area or by the security area itself. They have to be answered by the management of the organization. Evidently, the information security area is responsible for dealing with this matter in a structured manner and with the identification of possible levels of rigidity for security controls. To clarify: a user authentication can be done by a password or by a double authentication type password and biometrics. The business area should decide this rigidity. Remembering that: more security, more time and operational cost, which impacts the business. I always say: every organization has the security it deserves. Every organization has the security it wants.
So, when dealing with these new themes, we need to know what security the organization needs. In a BYOD solution, the organization will take more risks than an organization that uses only corporate equipment. But suddenly, for a midsize business, the ease of use of BYOD by its salespeople will streamline business and increase revenue. The business area has to assess these risks.
In terms of cloud processing, I don't believe that a pharmaceutical research organization will put their years of research into the cloud for a product that is going to be sensational and will bring in millions of dollars in profit. Is the cloud secure? Relatively yes. Should a survey of this type be placed that will be the salvation of the company? The manager will decide.
What are the most common obstacles to establishing a security policy?
I understand that the first big obstacle to establishing a security policy is the fact that people don't know what a security policy is. Or rather, not knowing what a Corporate Information Security Process is. However, I clarify that the management of the organization does not have the obligation to “magically” know these concepts. After all, they have been working in a certain way for years and have never (or almost never) needed to address the issue of security. In addition, security is thought to be just information technology. The information security area or the consultant hired for this task has the responsibility and obligation to present a structured approach to the matter to the management of the organization. The Information Security Corporate Process must be planned.
Another very common obstacle is the fact that people do not accept the new responsibilities that the Corporate Information Security Process brings to the company. In addition to being the manager of the financial area, the director of this area will have to be the manager of financial information. There's no way to escape.
Another obstacle that, unfortunately, I have seen in the market is the lack of experience of some information security professionals, who nevertheless assume responsibility for developing the Corporate Information Security Process. What happens is a “crazy Creole samba”. Many pieces of security will exist, but far from a structured process.
Most important is the need for the organization's management to commit to the desire to have security policies and standards. If management does not commit, the result for policies and standards will be very poor.
Where is there more resistance in applying controls? In top management or among users? And what strategy to overcome it?
Simply put: in people, both in top management and in users. It is necessary to carry out work together with all people. Top management has to understand that the quality of security will depend on how this security is going to be defined, its rigidity. And users need to be aware of the rules they have to abide by. In my experience, when we explain security controls to users and why these controls are used, they accept it. It doesn't mean they agree and think it's wonderful, but they understand professionally. We need to work with people. After all, no one likes to have limits on action. Neither you nor I, but security is a protection for the organization and needs to be handled professionally.
How to involve everyone in the company regarding the applications and implications of controls?
I only see one way out: with the existence of a plan for the security process. Believe that there are organizations that do not have an information security plan for the next three years. By the way, reader: does your company, the company you work for, have a plan for information security? Is there an information security area?
6. Give examples of controls established across IT boundaries.
User training is a control that is outside the technical IT environment. People need to be trained in information protection. In many situations of external spying or fraud by external criminals, access to information does not happen by breaking encryption. It happens using social engineering, which is the criminal's way of obtaining information without the use of violence. Just a “good talk”. Another aspect besides IT is the existence of information security policies and standards. And to top it off, I remember the issue of business continuity. In disaster situations in the corporate environment, just recovering the IT environment is not enough. It is necessary to recover the office environment, as well as the option of remote work.
7. Any additional information you want to add.
Yup. I would like to reinforce that every organization needs to have its Corporate Information Security Process and must consider the Security Dimensions (table below):
EN 
PT 
