(Image credit: Dollar Photo Club.)
IT security threats and responses are constantly evolving, and every new breach leads senior insurance company leadership to question their own vulnerability. Or rather, it leads them to ask their CIO whether they’re properly protected. Novarica has published a note that will help CIOs to be able answer those questions.
Authored by former Navy Mutual CIO and now Novarica principal Tom Benton, “IT Security Planning: A CIO Checklist Executive Brief,” offers a high-level discussion of 10 indispensable aspects of information security (see full list below). The first item on the list suggests, in effect, that the CIO appoint someone else to be able to answer his or her questions.
“The CIO has so many responsibilities that it’s difficult to focus adequately on IT security,” Benton explains. “It’s something that deserves full-time attention.”
While delegation is essential to the functioning of an organization of any size, it is also the source of one of the possible biggest threats to an insurer’s IT security – “the human beings inside the company who have access to your systems every hour of your work day,” as Benton writes in the brief. One of the most important defenses against that threat is having training appropriate to levels of security for a staff member’s area of responsibility, according to Benton. “You can do a certain amount of monitoring, but the main thing is to have clear policies and training,” he elaborates.
Among the other concern areas raised within the brief, Benton calls out the special nature of mobile/device security. “It’s a different animal,” he says. “If you don’t pay attention you’ll be over-restrictive and get pushback, or you’ll get security holes and workarounds.”
Novarica’s IT Security Planning Checklist (Full brief available from Novarica here.)
- Designate an IT Security Officer/Director and empower the position to own the IT data security function.
- Schedule regular assessments and audits by external security-focused consultants.
- Review current security policies and ensure that policies exist for all potential risk areas.
- Conduct regular training on security issues with all company staff, with specific training for IT resources.
- Assign responsibility for monitoring data assets to appropriate system owners and managers.
- Include security topics as part of overall IT governance processes.
- Align IT security with business processes and into the overall corporate culture.
- Pay particular attention to mobile/BYOD security to avoid security workarounds by staff.
- Incorporate review of vendor/partner security plans into IT procurement processes.
- Budget for IT security and overall risk management, then invest urgently in the highest priority items.