Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.
What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.
Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.
No impact
Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.
Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.
Medium impact
In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.
Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.
High impact
Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.
If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.
From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!
Become a superhero!
IT Security Matters 