How Effective Is Your Information Security and Privacy Policy? Measure It!

Highberg uses the following seven best practices to measure the effectiveness of information security and privacy policies, with a significant role for data.

Information security and privacy are closely intertwined. With the introduction of GDPR, requirements have been imposed on information security, and information security frameworks also set requirements for privacy. Thus, it makes sense to measure their effectiveness together. We are seeing more and more organizations merging IS&P into a single department, which promotes cooperation and information exchange.

"Without the top management, you won't get anyone on board," someone once told me. If IS&P is not a topic discussed at the executive level, you can push and pull all you want, but nothing will happen. The executive board and top management are essential parts of an effective policy. Ultimately, the responsibility for secure processes lies with the business. As organizations become more data-driven, we see questions emerging from the executive board and top management about whether IS&P can be integrated. Our answer is yes, it can. We also ask the executive board on which aspects they want to receive reports. And if the answer is missing, we report on the likelihood of things going wrong.

In the IS&P field, the focus is on creating and then executing certain processes to ensure safety, such as the mandatory execution of a Data Protection Impact Assessment (DPIA), implementing a password policy, or working with confidential data. The idea is that if the process is implemented, and it is executed well, we are safe. Compliance does not guarantee that you are effective in preventing data breaches or IS incidents; more is needed. You are directing the organization to follow processes, but you must also make process maturity measurable. Think about a case system that shows how many DPIAs have been executed or logging and monitoring that shows how often someone changed a password. If it has been established in advance how and with which baseline a process has been made measurable, it is possible to see where attention or interventions are still needed for each process.

Now, the human factor. Employees are and will remain a source of data breaches and IS incidents. "Human error" is taken into account in risk analyses. That's why it's essential to focus on IS&P awareness. The problem: How do you determine whether these campaigns, flyers, micro-learnings, and presentations are working? By measuring how aware your organization's employees are and measuring the likelihood of people making mistakes due to their working conditions, such as stressful situations or limited resources to work securely, consciously or unconsciously.

Unstructured data is a risk factor for both data breaches and information security incidents. The rule of thumb is: the more unstructured data, the greater the chance of something going wrong. What do we mean by unstructured data: confidential information in emails, loose files sent back and forth (via Winzip, Google Docs, WeTransfer), and scattered (confidential) documents. In our experience, there are usually two reasons why an organization has a large amount of unstructured data: 1) there is no central storage or case system, and 2) the central storage, case system, or secure method is not user-friendly, so "workarounds" are found because it is inconvenient to do it properly. Getting insight into the extent to which data is scattered throughout the organization is important. This can be done by using logging and monitoring, making the number of attachments measurable, issuing warnings for addresses outside the organization, improving the case system, and using processes to measure how many do not follow a process.

The previous best practices focused on reducing the likelihood of a security incident, but this best practice is about reducing its impact. An incident is already unpleasant, but it becomes even more unpleasant when confidential data that could have been deleted a long time ago is exposed. Consistently determining retention periods and ensuring that they are automatically respected, electronically or not, helps significantly. This principle also has a strong relationship with "visibility of unstructured data" because think about it: how do you ensure that all confidential information from emails and local storage is deleted in time? This can be made measurable by searching your infrastructure for confidential data that should not be scattered, using random samples.

Now that we have insight into processes, awareness, and unstructured data, we can start using the collected data. We do this, for example, by presenting it combined in a dashboard and indicating where the most improvement is needed. Combining the data in this way gives direction to discussions at the executive level because it is now about interventions on specific topics instead of broad campaigns. In addition, by using data, it is also possible to measure the effectiveness of interventions or understand and accept your organization's vulnerabilities.

So we return to our initial question: how do you know if your IS&P policy is effective? Our answer: use data to make effectiveness measurable. This way, the executive board's discussion will be based on facts.

If you find this interesting or want to know more about how to measure the effectiveness of IS&P, please contact Marlijn Mulder.