Security Culture
A trivial observation will reveal a lot of issues about the security culture of an organization.
1. Does the organization:
Have information security policies in place
Define the differennt information classes
Provide examples of each information class
Establish approval process with appropriate authoritive level to declassify information for sharing
Deploy viable means to share confidential materials
Communicate properly all staff with mandatory regular refresher programme
Integrate information security undertaking in the employment term
Impose discrepancy process for policy violation
Enforce role based access profile per job function
Review periodically for appropriate access rights
2. Do the staff:
Have minimal access to information just per the job roles
Forget to reclassify the information after approval has been granted
Understand what has gone wrong
It seems so many issues have been surfaced but this is the challenge and a matter of fact when all of us living in the digital world, not-to-mention unstructured information is everywhere beyond the organization cyber landscape.
The bottom line relies on human rather than technologies to secure information mandated by policies (written directives).
...