An information security policy is a set of rules dictated by an organisation to ensure all users follow good practices to keep information safe and reduce the risk of a data breach. Information security is based upon three main principles: confidentiality, availability and integrity, all which may be enforced through implementing strong information security policies. Not only do policies protect your organisation against legal, financial and reputational damage, but they also protect those who you hold data on. Learn more about information security.
How important is an information security policy?
Information security should not be viewed as a choice, but a legal requirement. Security breaches can result in data loss, inaccurate data production, confidentiality breaches, wasting resources and even putting individuals' rights and freedoms in jeopardy. Information security practices are governed by several legislations, including the Data Protection Act 2018 (which is the UK's implementation of the EU General Data Protection Regulation).
What should an information security policy cover?
Information security policies should encompass a wide range of data formats and locations:
- Printers, fax machines and scanners
- Tablets and laptops
- USB sticks and other portable storage devices
- Public clouds
- Paper records
How are different types of data classified?
Data can be classified into different sensitivity bands. The treatment of data and relevant policies surrounding its use are often determined by this band. A sensitivity classification system is displayed below.
- Publicly available
- Public contact details, service availability, some organisational decisions
- Normally made available to the public
- Draft forms of documents
Personal and confidential:
- Regarding an identifiable, living person
- Email, date of birth, address
- Would have drastic consequences on organisations
- Criminal offences and convictions or individuals if misused, including loss of life or failure to continue carrying out work
Access to extremely sensitive information can be further restricted through implementation of additional access restrictions e.g. passwords.
How to implement an information security policy
Use role-based data access controls
Within most organisations, different users require and are authorised to access different types of information. A common strategy implemented to overcome this is to enforce role-based access controls, meaning all employees with the same responsibilities will receive the same access rights. Most security breaches occur due to human error, therefore restricting the amount of people who have unnecessary access to data reduces the opportunity for security incidents to occur.
Enforce strong passwords that are updated regularly
It's true that most data security breaches originate from external sources, however the biggest threat to your IT infrastructure is the employees who may unwittingly introduce the breach into your organisation in the first place. Amongst the top reasons for organisational data-breaches and losses are employees with weak passwords, those who click on unauthorised links/attachments or visit restricted sites, and computers/other devices being left unattended or lost. Whilst seemingly simple mistakes to make, neglecting to follow security best practices in these ways poses an enormous threat to business data that only ongoing learning and development can address.
Encrypt your data
Some organisations require that any information transferred outside of the organisation is encrypted. Encryption is where information is converted into a nonsense form through application of a key (an algorithm). A similar key is required to quickly reverse the encryption and display the original, meaningful information. Without access to the key, recipients are unable to access the data, therefore protecting it from falling into the wrong hands. Data stored on portable devices such as USBs should be encrypted as they can easily be misplaced or stolen. It is important for users to familiarise themselves with their organisation's encryption policy.
Secure physical access to your buildings
Policies should also cover the physical security of the building. Unauthorised personnel gaining access to the building could result in them seeing information they are not entitled to see. Simple measures like keeping windows and doors shut and locked whenever possible are essential. Two factor authentication policies minimise the risk of people gaining wrongful access to the building. This relies upon the user displaying two forms of identification when entering. Typically, this is something they know (like a door code) and something they have (like an ID card).
How to prevent hacking
Hackers are usually opportunists; they discover a weakness and they exploit it for the most convenient and profitable gain. Hackers may not even target individuals, but instead aim to send their malware to the greatest number of recipients in the hope that one person will take the bait. Therefore cyber criminals are constantly testing organisations' information security defences.
Why does this matter? Because misunderstanding hackers can cause us to underestimate their threat. If we imagine that hackers are a select breed of digital masters who plan brilliant attacks against enormous corporations, we imagine that we, as smaller and less significant targets, are safe from their attention. But if we are aware, more accurately, that hackers are anyone with the will to commit a crime and the ability to use a search engine, then we realise that the threats from hacking are broad and omni-present, and we must take every precaution to keep our data and systems safe, because we are, sadly, as much a target as the largest global corporations.
Ensuring that all staff are fully trained in cyber security alertness and best practices will go a long way towards protecting your business from a devastating attack. And because the threats from hackers and fraudsters are always changing, it's important that staff training is also regularly updated.
With time to detection being of the essence, the IT service desk can play an essential role in detecting any potential security threat early on.
Service desk staff are in an optimum position to identify strange patterns or trends within the company's IT system which could prove to be an early indication of an attack. If properly trained to spot these early warnings and escalate them to the right security experts, front-line employees can become a powerful first line of defence.
Information Security Training from DeltaNet
Do your employees know the basics when it comes to Cyber Security? eLearning solutions from DeltaNet International can help. We offer off-the-shelf cyber security awareness training covering topics such as Keeping Information Secure, Phishing Awareness, Protecting your Identity, and Preventing a Data Breach.
Contact our team to find out more about Cyber Security eLearning at DeltaNet.