In our travels providing IT Support and various IT Services, we work with lots of different businesses. Many small businesses start and grow very organically and have little time for pie in the sky ideas like “security policies”. Usually it takes a mandate from a business partner or external stakeholder to prompt a small business to even start thinking about risk management.
The problem for many is that it’s very daunting to start with nothing, having no experience with any risk management system, and somehow end up with a valuable and solid system.
In our case, we enlisted the help of a security consulting firm. The result was that we gained the internal knowledge and experience to run our own Information Security Management System (ISMS) and controls, based on the ISO 27000 series standards.
So, to help out our Business IT Support clients, we are going to share a few simple steps and cookie cutter templates that should enable many small businesses the develop and implement some management control of their Information Security and give them a head start into expanding on that.
So here we go:
The foundation of our ISMS Information Security Management System is identifying what data you have to protect, and then identifying the risks to that data and the IT Systems surrounding it. Bear in mind that “protecting” the data means protecting its:
Confidentiality: Only those that should have access, have access
Integrity: Ensuring that the data is accurate and not accidentally or maliciously altered incorrectly.
Accessibility: Ensuring that the data is accessible to those that require access.
All 4 areas must be addresses to give a complete risk management strategy.
Step 1: Develop an “Information Asset Register”. This is a basic list of the key information stores of the business. See the below link for a template which includes some common small business assets.
Step 2: Develop your “Information Asset Register” into “Risk Register”, which is a list of risks that could affect each Asset.
Step 3: Mitigate your risks to a level of risk you are happy to bear by creating security “controls”.
Step 4: Schedule regular time slots where you check and revalidate your asset register, risk register and mitigation controls.
This is entirely a management process but requires deep understanding and consideration of the risks and possibilities, so you need to have a deep technical understanding of your environment. As such it can be very helpful to enlist the advice of a professional consultant.
See attached a template to help get you started at Information Risk Asset and Control Register