Here at itas, we value the security of the data that we are entrusted to work with. This year we are starting to work towards accreditation for ISO 27001 – Information Security Management Standard. We are currently in the process of implementing an information security management system (ISMS). I thought it may be interesting to share our journey with you!
So, what is it?
An ISMS is a set of policies and procedures that set out the legal, technical and physical requirements that need to be in place to mitigate as many risks as possible. As a business, you should know what the risks are to your business. This allows you to put together a plan to mitigate those risks. ISO 27001 is an international standard that once achieved, demonstrates that your company is following information security best practice. We are actually finding a lot of the processes and procedures we do already have in place. It’s more a case of having them documented and giving them a few tweaks!
Most processes can be broken down into essentially 3 different elements…
As a business, there are certain pieces of legislation that we must comply with. For example the Data Protection Act 1998, Privacy and Electronic Communications Regulations 2003 and Computer Misuse Act 1990 just name just a few. Data protection applies to any data that you handle as a business. This could be your company information, employee records or customer data that you are entrusted with. This list is not exhaustive and different companies will fall into different legislation depending on what you do.
There are many technical solutions that you can put in place to increase your data security. Here at itas, we are starting to introduce some new elements. This month we have introduced a user name and password security System called LastPass. This is a secure online portal where we can store both internal and external details. A requirement for information security, is knowing by who and when the information is being accessed. This is for control purposes. Last pass allows us to report on which of the users have accessed each document, when and from which location. It also allows us to go down to each individual document, and specify who can have access and what access they have. We are able to customize for each document which users can read only, edit or view any passwords in the password fields.
LastPass allows us to increase the security of this through the use of multifactor authentication. There are several different applications you can use for multifactor, LastPass has its own. DUO is also quite a common application, however there are others too. In this case, once you have logged in this then sends a request to your mobile phone, either via text message with a code to enter or to the LastPass app where you can approve the login.
Over the coming months we will be working on implementing further policies and procedures to make our own systems more robust. The next part of our internal changes will be to further strengthen our password policy. Reviewing the strength of users passwords and using the function in Last Pass to auto generate random passwords. This could be linked to many other changes that you make in your business regards to your process improvement.
It becomes very easy and common practice for people both in their home and work lives to use easy to remember passwords and to also use the same passwords for logging into multiple areas.
Where you are holding physical hard copy information, you will need to ensure this is in a secure location. In its simplest form, this may be a locked filing cabinet. Or perhaps a securely locked room and only giving access to specific employees. There is also the question of how long you keep different types of information based on its security type and the requirement by law. In bigger companies this could be a more complex system such as swipe cards or security personnel to keep the premises secure. You can also add other things like security system for the office, access to certain area to only those who need it.
Information and data security is becoming ever more so important, with the global cyber attacks hitting companies all over the world. It is all the more important to change easy to slip in to habits. It is crucially important that you do everything you can to keep all of your information secure. Any breach in your data security not only pose a risk for your business if it is your own data. It may also pose a risk for your business as being reputable company. Data security is a hot topic and not a subject that your company should take lightly.
If you are looking to implement a security process, there are many companies out there who can assist you. They are able to do it in a relatively quick manner. However if you want to do this in house there are loads of resources on the internet! We have purchased some packs which give us a good base to start with.
Give us a call, we are always happy to chat! Good luck!