Communication is key in every aspect of an information security program.

Not Just for a Crisis

We all stress about the internal and external communications required during a security breach. But the reality is we don’t have to be in a crisis to plan our overall communications strategy better. Every policy in our information security program could benefit from improved communications.

Define for Consistency

As you build your policies, be sure to define the communication requirements clearly. Include detailed guidelines about the required communications—the owners, types, topics, format, content, frequency, triggers, and intended audience. The more direction you provide, the more consistent your information security communications will be.

A Communications Matrix

We recently built a matrix for a client that summarized all of the information security communications they were responsible for in one convenient table. Initially, we designed it as a simple cross-reference tool. But as the list grew, it made us realize how important communications were across all their ISO 27001 policies. It didn’t take long to determine that this Communications Matrix would help all our clients visualize their entire information security communications strategy. Even if you haven’t started down the ISO 27001 path yet, the Communications Matrix is a valuable tool that will help organize the communication requirements buried in your existing security policies.

Your Communications Strategy

When we built our original Communications Matrix, we found ten (10) communication activities across six (6) standard information security policies. This matrix will grow as we continue to develop more robust communication strategies for our clients. How many of these communication activities have you found in your policies?

1. Security Incidents

All employees, contractors, and suppliers are responsible for reporting security weaknesses, security events, and unusual activities. The method for communicating the details are documented in an organization’s Incident Management Procedures. This policy will also describe how the case will be classified, prioritized, escalated (if necessary), and handled. Depending on the classification of the case, follow-on communications will vary. When low priority cases are resolved, it’s common to send an email to all parties involved. This communication will include case status, treatment, and appropriate corrective actions.

2. Breach Notifications

The communications related to major security incidents will also include phone calls and meetings with an expanded circle of stakeholders, including leaders from Information Technology, Information Security, Legal, Human Resources, and Marketing Communications, as well as Senior Management. An Incident Response Plan will further detail the communication requirements for confirmed security breaches. The communications related to a security breach may also include clients, law enforcement, and specific governing bodies, such as state/local agencies [Police, Consumer Affairs], federal agencies [Federal Bureau of Investigation (FBI), U.S. Secret Service, U.S. Cybersecurity & Infrastructure Security Agency (CISA), Health and Human Services (for HIPAA)], and international agencies [Information Commissioner’s Office (for GDPR)].

3. Business Continuity and Disaster Recovery (BC/DR)

An organization’s Business Continuity Management Policy is typically implemented with direction from the Board of Directors. The Business Continuity Manager is responsible for communicating regularly with the Board, Senior Management, and the team accountable for implementing the BC/DR plan. The Board of Directors and Senior Management are interested in learning about new threats and vulnerabilities, as identified by the annual Business Impact Assessment (BIA), as well as any results, improvements, or corrective actions from the team’s regular BC/DR plan tests.

4. Information Security Training

An Information Security Training Policy ensures that all employees, contractors, and third-party users receive formal communication on the organization’s security program, their personal responsibilities for minimizing risk, and common information security threats. At least once a year, the organization should require mandatory live or online classes to communicate updates. The Information Security Team typically prepares the company-specific content and communications for these classes. A third-party cybersecurity training partner can help provide industry-standard content and tests for portions of the training.

5. General Information Security

Communicating with your users throughout the year will help reinforce the behaviors learned during the annual Information Security Training classes. Regular email communications can include important security program modifications, updates on known threat activity, small policy changes, or simple reminders to remain diligent.

6. Security Program Status

A Management Review Policy describes how your security program should undergo formal quarterly and annual status reviews. These reviews are an excellent opportunity for senior management to communicate with the Security Team about how the program is performing. The Security Team can discuss the results of any risk assessments, risk treatments, internal audits, or security incidents since the last meeting. It is also a great time to talk about threats, process changes, key performance indicators (KPIs), requirements, or feedback. As a formal meeting, minutes should be recorded and shared.

7. Internal Audits

The details of your Internal Audit Policy need to be organized and communicated to the team as a cohesive program. The policy will identify the activities, functions, and processes that need to be audited. The communication plan will include the frequency of the audits, the owner, the auditor, and a rolling schedule of internal audits to meet the defined timetable. The security program manager will ensure that the plan is properly communicated and executed.

8. Audit Results

The reports from your Internal Audits will need to be communicated promptly to Senior Management for review. The results of the audits may also include statistics, non-conformance items, corrective actions, and preventative actions implemented. The reports will be reviewed formally at the next Program Status review meeting.

9. Supplier Security

The communications associated with the Global Supplier and Partner Assurance Policy are both inbound and outbound. The incoming communications are associated with the supplier’s compliance with your security program. They are required to notify you of any security breaches, changes to their operations, government investigations, or changes to their ISO 27001 certification. Other communications may include supplier security escalations and resolutions, modifications to your security or supplier program, and notifications of supplier security status with internal teams.

10. Information Security Metrics

The Annual Security Program Review establishes your security program objectives for the next twelve months. These new KPIs and thresholds need to be communicated to the Security Team and Senior Management accordingly. In most cases, the goals are documented in the meeting minutes. The new security program metrics will need to be extracted from the approved minutes; implemented in the dashboards, reports, and documentation; and communicated to the entire Security Team.

Final Thoughts

Improving your information security communications will improve your overall information security program. You can see from the examples above that the term “communications” can mean many different things depending on the policy, delivery vehicle, and audience. Your format, language, tone, actions, urgency, and level of detail will need to be adjusted appropriately for users, suppliers, senior management, regulatory agencies, and technical teams. That’s what makes it hard and often inconsistent.

If you review your existing information security policies and realize your communications should be more consistent, more robust, or more impactful, Ezentria can help. Give us a call at 1-800-230-0780, and we’ll get you back on track.

If you have any questions, need assistance, or would like a copy of our Communications Matrix, you can reach us at ia@ezentria.com.

Our next post in this newsletter will be in September. Until then, be safe and secure.