What are Organizational Measures
Organizational measures mean introducing a process, a management system, control mechanisms, a policy or procedure, setting vendor requirements, and similar steps. They also include user education and awareness. Organizational measures lead to changes in people’s behavior or in business processes.
- Organizational measures are based on changes to processes or how work is organized.
- To change user behavior, training, education, and regular awareness programs are essential
Which organizational measures are right for our company?
Specific organizational measures should naturally follow your company’s situation,needs, size, and the results of a risk assessment. A small family-owned business with a few employees will need different measures than a company with thousands of employees. Implementing most of these is relatively easy, and in combination with technical controls they will help protect you against the most common IT risks.
Most Common and Recommended Organizational Cybersecurity Measures for Mid-Sized Companies
The following list of best practices and tools is based on real-world experience with mid-sized businesses and industry best practices. It provides a concise overview of the core measures that are most commonly implemented in practice.
Implementing Security Policies and Roles in the Organization
- establish a systematic information security management approach
- define and enforce security policies and standards
- clarify roles and responsibilities (CISO/IT, system owners)
- provide regular reporting to leadership
- manage exceptions with a formal process
Systematic Risk Management
- Identify critical issues, assets, and processes
- Risk management methodology and risk register
- Regular risk assessments (at least annually)
- Link risks to resources (assets)
HR security and access management
- pre-employment screening, onboarding, training, and assigning permissions based on job role
- pre-hire background screening
- employee onboarding: assign correct system and physical access permissions and complete required training
- offboarding: revoke all access at departure and enforce confidentiality
- update permissions when an employee’s role changes
- track issued and returned company equipment
- include data protection, intellectual property, and optional non-compete clauses in employment agreements
Řízení IT aktiv (řízení Informačních technologií) - ITSM / ITAM
- kompletní evidence HW/SW/SaaS/účtů, aktuální informace o vašem IT prostředí
- lifecycle: pořízení–změny–vyřazení (včetně mazání dat)
- údržba, a provozní deník nad jednotlivými prvky IT
- pravidelné zálohy důležitých dat
- řízení bezpečnosti informací a dat: mazání, šifrování přenosu
- pravidelně aktualizace software, a firemních aplikací
- pořízení - volba správné a bezpečné technologie
- monitoring
Employee Security Education, Awareness, and Security Culture
- standardized new-hire security training (as part of onboarding)
- phishing and social engineering simulations
- ongoing, regular security training for current employees
- established security culture (cyber hygiene, password policy, account management, endpoint protection)
Vendor Management for Purchased Services (Supply Chain)
- catalog of vendors and provided services + criticality
- security requirements in contracts; ensure vendor agreements cover SLA, NDA, and exit/termination
- performance and risk assessment of key vendors
- maintain oversight of vendor personnel who can access your data and assets
Incident Management (IR) and Reporting, Incident Handling, and Business Continuity
- incident reporting system
- escalation procedures, points of contact, and communications
- post-incident review
- crisis communications
Business Continuity & Disaster Recovery (Service Resilience)
- Incident response and recovery
- Process restoration
- BCP/DRP for critical services
- RTO/RPO targets based on criticality
- Regular recovery testing
Secure Adoption of New Technologies and Change Management
- security requirements for new systems
- controlled changes/configuration management with rollback
- approval process for exceptions and changes
- keep changes in your IT environment under control (understand the impact before you deploy)
Effectiveness Measurement, Audits, and Continuous Improvement
- Security KPIs/KRIs
- Internal audits and risk-based penetration tests • management review • corrective action plan