Job descriptions solve data security problems

Add to: Digg Add to: Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Monday September 8, 2014 at 12:56pm
The challenges of the owner manager and directors of SME’s throughout the UK seem to grow daily. There are ever more complex risk and compliance issues to deal with, whether it’s data protection, health and safety, data security or industry regulation, the requirements can be onerous.

I find SME’s really struggle in their efforts to safeguard what is one of their key business assets - their data.

Given no business owner would knowingly put a valuable asset at risk I wonder why this is the case? I think a partial explanation is around good house-keeping – especially when it comes to job descriptions and delegating responsibilities to members of staff, and managing them to perform well on these responsibilities.

I have identified 3 key areas, which if addressed will help SME’s keep their data safe:

  1. Roles and responsibilities
    Business is moving quickly, our use of technology changes on a regular basis and with these changes come new responsibilities for all in your organisation. Sadly job descriptions and clearly defined roles and responsibilities are often woefully out of date and don’t reflect duties placed upon an employee. Indeed, when full investigations have taken place, I have found employees were not aware that they were even responsible for certain information security related activities.

    Job descriptions, like company brochures and web-sites need to be kept up-to-date. If not, the business may be in peril when it attempts to discipline an individual for not fulfilling a role or for breaching data security requirements.

  2. Data back-up
    A common-place area of concern is data-back up. Many organizations still back-up on to external hard-drives under the ‘grandfather-father-son’ protocol. This may work effectively until the designated employee either leaves the employment of the business – or is absent. If the role and indeed the associated responsibility is not clearly defined and documented there is little reference material in a dispute.

  3. Building access
    Another area might be visitor control within a building. If the duties are not clearly defined, a new starter or temp might completely miss a key element of visitor control, namely introduction to the Company’s information security policy and security obligations – whilst on site. Such a breach could have an impact upon C.I.A or ‘confidentiality, integrity and availability’ of data for the SME.
Information security advice for SMEs
So what is my advice? The SME manager needs to keep a watchful eye on all roles within their business. I suggest reviewing the organogram regularly and ensuring that all posts have a well-defined job description. Such descriptions should be version controlled, dated and approved by the author and accepted by the operator. Where possible this description should link to an updated Employee Handbook – detailing the latest procedures and policies within the business, especially those relating to data control and information security management.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here