Know your data
You are in the best position to understand the type of information your team handles on a day to day basis, so it’s important to know if your processes and procedures are secure enough for that information. You are also the best person to know if your staff has received the training they need to handle that information safely.
One of the main areas of focus of the Information Security Policy is Information Classification. The Information Classification Matrix is an excellent resource to help handle sensitive information safely.
You can encourage your staff to review the information Classification Matrix, and understand the controls that it describes.
Enterprise Risk Management
Information security is a key category of Information Technology Risk identified by Enterprise Risk Management at McMaster University. Information security risk relates to the confidentiality and integrity of information, and the systems that support them.
The Information Security Policy is designed to provide guidance to everyone in the McMaster community on how to reduce information security risk. The Information Classification Matrix, and the Policy standards, guidelines, and procedures provide ways to protect sensitive information and reduce risk.
As a leader, you can encourage your staff to read the IS Policy, and to understand how to protect the information they handle. You can lead by example by maintaining good IT security hygiene yourself, and you can demonstrate a commitment to reducing information security risk by encouraging good IT security hygiene among your staff.
Information Security Safeguards play a critical role in protecting personal information, and are a principle of the CSA Model Code upon which Canadian Privacy laws are based. The McMaster University Secretariat and Privacy Office is responsible for privacy at McMaster, and they work closely with the IT Security team and other IT units to ensure that digital information is appropriately secured.
The Information Security Policy addresses privacy in the Information Classification section, requiring all members of the McMaster community apply appropriate information security controls when to handling personally identifiable information, and also requiring everyone to abide by the Privacy Governance and Accountability Framework when handling information electronically.
Leaders can encourage their staff to understand their responsibilities related to the Privacy Governance and Accountability Framework, and to review the Information Classification Matrix for guidance on handling personally identifiable information. Additionally, leaders can book a Privacy and IT Security presentation with the University FIPPA coordinator, Michelle Bennett, and the University Information Security Officer, Paul Muir, to learn more about privacy and information security at McMaster.
Reporting an Incident
How we react when something goes wrong is critically important when dealing with information security. As a leader, you can make sure your team knows:
- who to call if they suspect a data breach.
- where to send spam and Phishing samples.
- what they should do if they think they have lost their password.
- what they should do if they think their phone is lost or stolen.
The Information Security Policy requires all members of the McMaster community to report known or suspected IT Security and Privacy Incidents to the appropriate authorities.
You can encourage staff to learn how to identify Information Security and Privacy incidents, and how to report them. Additionally, you can encourage staff to watch for IT Security alerts and notifications sent via email, or posted to the @McMaster_ITSec twitter feed and the McMaster IT Security Facebook page. You can also reinforce the fact that reporting incidents is not embarrassing or cause for punitive action; reporting incidents fully and quickly is a helpful, positive act that helps keeps our information safe.