Organisations ought to formulate and implement essential approaches that provide organisational security details to the information security operators within the organisation. These approaches include:
1. Policy: This is a high-level or management statement of plan that embraces the general organisational security goals and acceptable procedures toward achieving it. Policies are made by the management when laying out the organisation’s position on certain issues. Every organisational security policy must operate like a lifecycle.
Policy lifecycle: For the fact that security network itself changes constantly, the approaches to it also change and revolves on a cycle to retain its relevance.
98
Organisational security life circle: (Self constructed)
Plan: The proposal and strategies to be adopted. It could be adjusted to suit any security prevailing situation in an organisation
Implement: To give a practical effect and ensure actual fulfilment of the plan
Monitor: Keeping track or watch over the implementation process
Evaluate: Appraising the effectiveness of the whole organisational security plan/ policy
2. Procedure: This approach involves the step-by-step techniques, processes or instructions on how to implement policies in the organisational security.
Procedures describe precisely how staff are expected to act in each condition or to complete a definite task, especially as it concerns information security.
3. Standard: Standards are accepted specification that provide specific details on how a policy is to be enforced. They appear as mandatory elements regarding the implementation of a policy. Some standards are externally driven. For instance, such as banking/financial regulations or laws, whereas other standards may be set by the organisation to meet its own security goal.
4. Guideline: This acts as recommendations which relate to the already formulated and implemented policies. It is a perimeter to the organisational security policy.
Therefore, it may not be a mandatory step.
The policies, procedures, standards, and guidelines should be included in living documents that are periodically evaluated and changed as necessary. The continuous monitoring of the network and periodic review of the related documents are part of the process that constitute the operational model. When applied to policies, this process results in what is known as the policy lifecycle. This operational process and policy lifecycle roughly consist of four steps in relation to the security policies and solution.
Plan
Implement
Monitor Evaluate
99 3.2 Steps to effective organisational security
Bandos (2018), listed 9 steps to achieve effective organisational security and these include:
• Take a risk-based approach. A risk-based approach especially with employees is considered essential approach to organisational security. No matter the cadre or position of the employee, determining where the most risk resides should always be one of the first things done in an organisation.
• Provide incentives for good behaviour: Another important step in developing a security awareness program, can often feel like an effort in futility. Simply communicating what's expected of an employee from a security perspective or foisting a campaign on users isn't always effective. Organisations commonly deploy one-size-fits-all approaches that rarely succeed in altering employee behaviour over time. These types of campaigns don't need to go away — they likely never will — but they should give incentives to participants and reward good behaviour. Users shouldn't get shamed for accidentally clicking on a phishing link. Instead, they should feel like they play a pivotal role in strengthening the organisational control of a company.
• Incorporate technology: That doesn't mean it's not good to take some decision-making work away from employees. If you're relying on an employee to do the right thing all the time, you're going to fail eventually. Some see security as a burden on a user, but it doesn't have to be like that. Technology, the more transparent and seamless the better, can help take the guesswork out of situations.
Having a well-balanced security strategy paired with those technologies should be the goal of every enterprise.
• Stop and think: Employees should learn to adopt a stop-and-think mind-set. If an employee receives a phishing email, she should pause and ask herself "Is this something I should be doing?" before clicking through. The routine should become habitual, almost instinctive over time. An employee can be the last link in the security chain, but if that person clicks on something malicious, that chain is broken and has opened the enterprise to a possible breach
• Assign a leader: Depending on the size of a business, it could prove beneficial to assign a security leader to each segment across the organisation. The leader can confer with other leaders and collaborate on pressing security issues. Every time users have a question — about a potentially malicious link or any other issue — they should be able to ask someone about it quickly. Without a leader, someone dedicated to answering questions, users could be tempted to click on that link, something that could lead to bad decision-making behaviour down the line.
• Get other departments involved: Organisational security doesn't need to be confined solely to the IT department. It's important to leverage resources you have internally. The marketing department can even play a role. One of the main goals across an organisation should be to build a security brand within the company. Tapping into the marketing department, a group of individuals that know how to position itself, what reaches people, and how to measure it, can be enormously helpful.
100
• Set up policies: Some of these suggestions may sound esoteric, but at the end of the day, employees still need to answer to something. That's why policies should set up and enacted. If you don't hold employees accountable for their actions — what sites users can browse to, what they're allowed to do on their machines, etc.
— all of this will be for naught.
• Refer to published frameworks: When it comes to published IT management frameworks, there are some great guides already on the books. The National Institute of Standards and Technology (NIST) has some guidance. Control Objectives for Information and Related Technologies, or COBIT, an auditing/compliance framework, can also help outline governance and management practices. Not everything may make sense for your company or your organisation but developing your own policies on the fly is never a great idea. Align with industry best practices; after all, they're considered best practices for a reason.
• Take your time: There's no reason to rush. This isn't something that happens overnight. It can sometimes take years for a company to deploy a successful security awareness campaign. Corporations too often take a tactical approach while rolling out campaigns when they should be more realistic. Take a strategic approach and plan over the course of several years, not months’ (Bandos, 2018).