Technology for social justice
Workers having a meeting with laptops on the table

Why information security is everyone’s responsibility

This is the third in a series of blog posts from our Information Security Lead Marise Alphonso, where she talks about some of the information security issues facing the not-for-profit sector.

As we continue to embrace technology in all its forms within our workplaces, homes and lives we must remember that there is always an opportunity cost for the convenience this technology brings.  Most often this cost surfaces by way of ensuring security factors are considered in how we are using technology including the interfacing processes and data.Key information security concepts

As mentioned in a previous blog post of this series, maturing security capability is not only linked to technology, but also to business processes and organisational culture.  Through a security governance lens, we must ask the question "How do security practices contribute to value creation for an organisation?"

The diagram below is an indication of the majority of stakeholders for a not-for-profit organisation.  Each one could be considered for the role they may play in ensuring information security-related risks that could impact on the organisation are addressed. Risk in this context could be distilled down to implementing safeguards to ensure the confidentiality, integrity and availability of organisational data and services.

Stakeholders of a not-for-profit organisation

Stakeholders of a not-for-profit organisation

 

Responsibilities of these stakeholders focus on considerations in protecting the assets of the organisation as well as protecting the functioning of the digital economy. 

A sampling of responsibilities is outlined below - there are more obligations for each stakeholder depending on the specific context and business objectives of the organisation.  However, these responsibilities present the role we can all play in improving information security within our organisations, our personal lives and the broader economy.

Stakeholder

Responsibility

Board members and leadership

  • Set expectations, intention and tone from the top on information security
  • Due diligence, governance and management of information security/cyber risks considered as enterprise risks

Government bodies

  • Set out information security guidance and controls that could be adopted by organisations
  • Foster and enable industry collaboration on information security/cyber threats and means of possible protection and provide incident reporting channels

Employees, volunteers, contractors

  • Protect organisational data in line with established policies as per their specific job role and collaborate to uplift the organisation’s security culture
  • Report security incidents to allow for continuous improvement of information security

Third party suppliers

  • Protect the data entrusted to their care and execute their tasks within the supply chain ethically
  • Uphold contractual, legal and regulatory requirements

Customers

  • Ask questions as to how their data is secure and build security clauses into their contracts to ensure suppliers consider security and data privacy
  • Be aware of the distinction between security as their responsibility and the supplier’s responsibility

Members of the public

  • Understand their data privacy rights and challenge organisations to do their part to uphold these rights
  • Ask questions on practices followed by organisations to ensure security of data entrusted to their care and expect security incident notifications and protections are afforded in the event of data breaches.

Regulators

  • Implement appropriate changes in the legal and regulatory landscape to promote trust in the digital economy and protection of the public
  • Balance the need for regulation with that of innovation and build in practices to allow both to be achieved
Funding organisations
  •  Ask questions as to the governance process followed for the management of the funding to ensure value-add business outcomes are achieved
  • Require transparency and oversight to ensure integrity of business processes and appropriate safeguards are implemented to protect the funded project
Business partners
  • Protect their brand by partnering with organisations that consider information security practices
  • Ensure the data governance and management processes are well executed to protect data in use as part of the partnership
Individual donors
  • Ask questions on how the security of the data they provide to the organisation is assured
  • Have a level of awareness on how their donations are being used in terms of the transparency provided by the organisation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Want to read more? Check out our other blog posts on information security.

Filed in: IT advice | Tagged as: Information security

Keep up to date with the latest Infoxchange news