Information security to many people means firewalls, anti-virus and keeping things under lock and key. Whilst software solutions and physical protection are obviously large parts of information security, there is far more that must go on behind the scenes for a holistic and sustainable information security approach.
ISO 27001 is the most popular information security standard across the globe and it echoes these sentiments. Installing technology to protect an organisation’s information is a vital part of a security solution, but it is by no means the whole package. What is needed is a three pronged approach to ensure data remains available, confidential and secure.
Before we look at the three facets of security information, it’s important to understand why an organisation needs to bother at all. First of all, the Data Protection Act 1998 in the UK legislates against the mismanagement of data, particularly that concerning clients or third parties. Moreover, a company without an effective information security solution in place is at risk of serious data breaches that can prove incredibly expensive. Finally, a reputation of being unsecure and careless with information is seriously detrimental to an organisations brand and public image.
So can one implement a holistic information security strategy? What is the best approach to take?
A company can, and arguably should, work within the framework set out in ISO 27001. It provides details on how to analyse, plan, implement and control a security solution and accreditation is becoming increasingly popular. However when an organisation decides to develop their solution, it is important to consider the following three principles.
An Ongoing Process of Improvement
The latest version of ISO 27001 (published in 2013) places much greater emphasis on the continual improvement of a company’s security policies and procedures. One popular method of process improvement from the Six Sigma toolbox is called DMAIC and is broken down into five steps.
Define – the first stage is about identifying risks in an existing system or solution; defining the problems in a clear and quantifiable manner. Write down the scope and targets of the process, using the ISO 27001 standard for guidance where needed.
Measure – the second step concerns gauging the current performance capability of the component being analysed. Establish a baseline and identify the difference between how the component should perform and how it currently performs. As part of this step it is also important to consider whether the tools being used for measuring the system are suitable for the job.
Analyse – the next step is about finding the root cause of the issue; what are the potential causes for security breaches? Identify, list and prioritise the potential causes of the issue. Use one of the several Six Sigma methodologies for doing so.
Improve – using techniques such as brainstorming, Design of Experiments or the ‘six thinking hats’ establish and test solutions to the issue.
Control – the final stage, and the one most emphasised in the latest ISO 27001 standard, is to establish controls that allow the organisation to monitor, update and continue the process of improvement.
Naturally, technology is an integral part of information security. For many firms, utilising the services of a virtual data room, provided by a supplier such as www.projectfusion.com, is the ideal way to manage their data security solution. These third party providers supply a firm with an elegant, easy to use and incredibly secure file repository for storing and transferring data either internally or between relevant stakeholders.
If managing data in house it is essential to carefully risk assess and implement the relevant cyber security measures to protect internal and external information.
Finally, the people in an organisation are integral in the information security process. This means staff must be completely aware of their role in implementing, maintaining and controlling the policies and procedures put in place. Training should be provided to all members of the organisation that makes clear everyone’s responsibilities in the day-to-day running of a security solution.
The technical staff in the organisation should be qualified and up to date with the latest in information security. The face of the industry is continually evolving and so qualifications should be kept up to date to ensure the organisation’s data protection policies do not become stale.