Information security is as the process used to protect the assets of electronic or physical data, ensuring that the confidentiality, integrity and availability (the CIA) of data is upheld. Information security establishes the strategies needed for a business to conduct their security management and to ensure information systems operate as intended. Information security is an integral part of the Data Protection Act. Therefore, organisations should comply with information security in order to prevent data breaches from occurring, which could compromise the sensitive information they store and process.
CIA and Information Security
An organisation can build upon the concept of CIA (confidentiality, integrity and availability) to form their information security strategy:
This ensures that information held by an organisation is only made accessible to specific individuals who require access to this information. This process allows organisations to crack down on unauthorised access to sensitive or personal information and monitor where and when information is accessed. To achieve confidentiality, an access control list, user IDs, and passwords can all be used effectively.
Integrity refers to ensuring that the information held or processed by organisations is trustworthy, i.e. that it is up-to-date and accurate. To ensure data is kept in this state, employees should be aware of the lifespan of information and the individual's right to rectify data. Records should not be amended by unauthorised personnel.
The Data Protection Act 2018 states that a data subject should be able to view their data by submitting a data access request (DAR). This means that organisations should ensure their information systems are available when required and this request can be fulfilled in a timely manner, usually one month.
What is an information security incident?
An information security incident can be explained as someone who does not have authorisation gaining access to data, possibly with malicious intent. This could happen due to weak computer security, improperly disposed of documents, lost mobile devices, and so on. Information security incidents or 'data breaches' can result in considerable financial and reputational damage for organisations and/or members of staff. In many cases, incidents like this must be reported to the ICO within 72 hours and the people who may be impacted by the breach must be informed.
A threat refers to anything that could be seen as having the potential to disrupt information systems and processes, we can also think of threats as 'security risks'. Given enough time and the right circumstances, these risks can result in a data breach. That's why security threats should be audited regularly and, as much as possible, mitigated.
What is an information security audit?
Audits are objective examinations and evaluations of an organisation's security practices. They are an opportunity to assess your information security risks and combat vulnerabilities before they cause a breach. In an audit, you will appraise your organisation's policies and procedures and monitor organisation-wide compliance to them.
An information security audit should encompass all aspects of information storage and processing within your business. Relevant areas range from paper records and physical security to encryption and cloud computing. The COBIT 5 business framework can be utilised for guidance on conducting an audit. The publication was issued by ISACA, a non-profit, independent association of 140,000+ professionals across 187 countries, and reflects the latest advances in the field of IT governance.
Information security audits can be conducted by an IT specialist as technology comprises a large proportion of current information security. Auditors can be either internal or external to your organisation. Some sectors are under tighter regulations when it comes to audits, e.g. financial institutions are required to undergo an external audit every year, so it is essential to familiarise yourself with any sector-specific requirements that may exist.
Why information security audits are important
To uphold information security, an organisation will need to carry out risk management audits regularly to identify where security risks are, and subsequently how to deal with and mitigate these risks. The purpose of performing an information security audit is to continually monitor the strength of your information security practices, allowing you to modify organisation policies and identify weaknesses that require addressing.
Audits allow you to rapidly identify and address any security issues within your network. Therefore, conducting regular information security audits is an essential measure in protecting your organisation against the potentially crippling effects of an information security breach. Information security breaches often result in information falling into the wrong hands. Unauthorised access of data can be incredibly dangerous to both the party whose information is compromised and the party responsible for the breach. Disciplinary action can range from internal procedures to legal prosecution and hefty fines. Regular audits and through information security training are both sure fire ways to protect your organisation from security breaches.
How to write a risk management plan
There are two main stages of risk management that need to be considered when creating a risk management strategy.
Identify the data which your organisation processes, whether it is personal or sensitive, and where there are areas of vulnerability in the processing chain which could allow for confidentiality, integrity or availability to be compromised. From this, think about what controls your organisation already has in place to protect information and if they are adequate or need increasing/updating.
Once you have identified any risks to your information security, a plan of action will need to be organised to decide how to mitigate them, and what to do in the event of a security breach.
Network security refers to the protection of data which is transmitted through devices within a network used by an organisation. Network security aims to protect this data, to stop it being intercepted via electronic intrusion to benefit cyber criminals. Therefore, if an organisation is going to store or transmit any data via a network, then they need to ensure their information is secure and protected as much as possible from cyberattacks. Cyberattacks can assume many forms, notably malware, spyware and hacking attacks.
If an organisation has put into place the correct hardware and software needed to detect cyberattacks, and also supplied information security awareness training to all staff members, then its information should be appropriately protected. Ultimately, to ensure information security is implemented in your organisation correctly, training and education of information security is paramount.
Information security compliance
Information security compliance is an umbrella term for conformity with numerous legislative and regulatory standards. The hefty task of compliance within the UK currently includes, but is not limited to: the Data Protection Act (DPA) 2018, the General Data Protection Regulation (GDPR), the Copyright Designs and Patent Act 1998 and the Payment Card Industry Data Security Standard (PCI DSS). Compliance is both the individual responsibility of data users and the corporate responsibility of your organisation. Non-compliance can result in damage to your organisation's reputation, interruptions to service, legal action being taken against you, wasting resources and putting people at risk.
UK compliance standards
The Data Protection Act (DPA) 2018 is the current UK legislation governing the processing of personal data. Personal data is any data relating to an identifiable, living person and processing is anything that is done with this data. The DPA 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). It outlines a set of rules to be followed by data controllers (those who own data and are responsible for it) to abide by.
The Copyright Designs and Patents Act (CDPA) 1988 is the current copyright law within the UK. The CDPA gives creators of literacy, music, artwork and theatre the right to control the ways in which their material is used. Rights are in place for between 25 and 70 years, dependant on the type of work.
The importance of information security compliance
Good information security practices allow you to get the best out of your information and be confident that the security risks are managed. Not only will your customers have more confidence in you, but also your partners will. Compliance also ensures you meet your legal and regulatory responsibilities. On the other hand, poor compliance may results in confidentiality breaches, data losses and loss of reputation. Disciplinary procedures can include: internal processes; investigations and enforcement by the Information Commissioner's Office (ICO); penalties from professional bodies; litigation by third parties, criminal offences and even arrest. Thorough information security training for all staff members will help you ensure your business is meeting compliance requirements.
The importance of good information security awareness
A lapse in judgement for a single staff member could result in an organisation-wide information security breach. Therefore, the most powerful tool at your disposal is regular information security awareness training for all staff members. A sound understanding of security principles, covering data protection, cyber security, physical security, and intellectual assets empowers staff members to remain vigilant to potential threats.
If you would like to learn more about protecting your company's information security, take a look at our wide range of CPD certified information security online training courses.