A trivial observation will reveal a lot of issues about the security culture of an organization.

1. Does the organization:

  • Have information security policies in place
  • Define the differennt information classes
  • Provide examples of each information class
  • Establish approval process with appropriate authoritive level to declassify information for sharing
  • Deploy viable means to share confidential materials
  • Communicate properly all staff with mandatory regular refresher programme
  • Integrate information security undertaking in the employment term
  • Impose discrepancy process for policy violation
  • Enforce role based access profile per job function
  • Review periodically for appropriate access rights

2. Do the staff:

  • Have minimal access to information just per the job roles
  • Forget to reclassify the information after approval has been granted
  • Understand what has gone wrong

It seems so many issues have been surfaced but this is the challenge and a matter of fact when all of us living in the digital world, not-to-mention unstructured information is everywhere beyond the organization cyber landscape.

The bottom line relies on human rather than technologies to secure information mandated by policies (written directives).

Leave a Reply