Phil Thompson, head of BPIF Business, lists the top security controls for information security management.
Printers that have succeeded in moving up the value chain, or aspire to, usually manage data nowadays. Therefore security management is increasingly topical and the consequences for those responsible for security breaches are serious; regulators’ fines can impose severe financial penalties and then there’s the reputational damage and loss of customer confidence.
The most common way to demonstrate security management capabilities is by registration to the information security management standard ISO27001. The standard requires that organisations identify what information they manage, and complete a risk assessment to identify what security controls they need to operate to reduce their security risks to an acceptable level. ISO27001 has many suggested controls. Here’s a flavour...
Removable media
Removable media allow for the easy transfer of large data sets but also present an opportunity for the theft or loss of data. The risks can be reduced by locking down USB drives or configuring kit to permit the use of registered devices only. Think about password protection and encryption. Consideration should also be given to re-usable media and the deletion of information before re-issue and re-use.
Information classification/handling
Do you have guidance on how to classify the information you manage? Are your staff trained in rules on storage, distribution, transmission, and end-of-life disposal of data?
Information varies in its sensitivity – you can use a classification scheme that defines a set of protection levels and communicates the need for any special handling.
Review of access rights
When was the last time you checked the access privileges across your organisation? Granting access to computers, applications and access to different parts of your premises should be formally requested with clear approval authorities. You should complete regular checks of access rights .
Third party management
How many external parties have access to your premises or access to your computer systems? How many third parties do you send or exchange information with? Depending on the access granted or the information shared with external parties, there may be a need to define controls and service levels. Confidentiality clauses and non-disclosure agreements are frequently used, perhaps in conjunction with contractual requirements such as compliance to standards (e.g. PCI DSS compliance for those handling credit card details), staff vetting, use of approved contractors for archiving/storage and destruction of records/equipment. You may want to audit a third party to verify that effective security management is in place.
Legislation and compliance
It’s vital that your business is aware of the legislation and regulations that are applicable. Furthermore the compliance requirements must also be known – and this may require outside help. The Data Protection Act, Computer Misuse Act, Copyright, Design and Patents Act may all be applicable. The Information Commissioner’s Office has the authority to levy fines for non-compliance to the Data Protection Act so familiarisation with the management of personal data and the eight principles of data protection should be priorities.
And finally…
If your business operates these controls don’t get complacent! ISO27001 has over 120 other controls that may be necessary to reduce your security risks.
Businesses that achieve ISO27001 will have a systematic approach to security. They will have demonstrated that they have identified what information they manage, risk assessed it, chosen controls to reduce risk and shown that the controls are effective. They will have trained their staff in security management, published and communicated a series of security polices. They will have implemented controls for IT management, personnel security, physical security, access management and compliance management. They will have a programme of internal audits and improvement. They will have a proven business continuity capability. They will have security measures, they will log and respond to security incidents. They will have established security governance under the leadership of their highest levels of management, and they will have had their security management system independently assessed by specialist security auditors.