Information Security—Issues and Solutions
From its start, Intact has always been keen on information security, and protecting our customers‘ information and their data is one of our top priorities. Our mission statement says that we are professional, sociable, and connecting; but what does that mean when it comes to information security? What are the issues that may arise from this approach, and what can a company do to make sure its employees act professionally?
The first thing you have to do is install a functioning Information Security Management System (ISMS) to make sure that everyone in your company is on the same page when it comes to this matter. Of course, this is easier said than done—the bigger the organization, the bigger the obstacles and challenges you have to overcome to implement an ISMS. Therefore, to get companies to comply with standards like ISO 27001, which is a sophisticated and hard to achieve norm, there are sometimes preliminary stages created to ease the process a little bit. One example is the German ISIS12 (‚Informations-Sicherheitsmanagement System in 12 Schritten‘, which translates to ‚Information Security Management System in 12 Steps‘). It was created to systematically and continuously improve information security in small businesses and municipalities with regards to the ISO 27001 standard.
Information Security Standards Require a Lot of Work
There are several reasons why implementing an ISMS sometimes leads to obstacles that need to be overcome. First of all, you need to have the right people in place to make sure the implementation goes along smoothly. By this, I mean people with the right know-how and expertise in this field. Since the implementation of an ISMS goes in parallel to the everyday work in a company, another huge problem might be work overload for the employees who have to carry out the tasks. Especially in smaller companies, this might become a problem and slow down the process tremendously. That is the reason why companies sometimes hire experts specifically for the implementation of an ISMS. What needs to be done in any way is
- the necessary organizational structure (roles and committees) and process organization (security processes), and
- the appropriate guidelines (procedures and rules)
have to be established for the ongoing definition, management, control, maintenance, and improvement of information security in the organization based on a risk management approach.
ISMS is a continuous process whose strategies and concepts must be continuously reviewed for performance and effectiveness, and updated if necessary. The Austrian Information Security Handbook, which is only available in German, describes information security as follows:
Information security is always a management task. This task can only be performed successfully if the management of an organization is entirely behind the security objectives and the associated activities.
https://www.sicherheitshandbuch.gv.at/downloads/sicherheitshandbuch.pdf p. 38
It also describes a process to continuously improve an ISMS. The so-called PDCA model (Plan, Do, Check, Act) helps to do just that:
- Plan: Defining the ISMS, i.e., relevant security targets and security – the information security policy should be developed, and specific security measures should be selected.
- Do: Implement and operate an ISMS, establish security measures, ensuring compliance, and ensuring information security during ongoing operations, including in emergencies.
- Check: Monitoring and checking the ISMS for its effectiveness, which means verifying its existence, meaningfulness, compliance with security measures, but also gaining knowledge about incidents and current good practices.
- Act: Maintaining and improving the ISMS means reacting to detected errors, vulnerabilities, and changed environmental conditions, and eliminating the causes of hazards. This requires renewed planning, which closes the cycle.
Taking this PDCA model serious will help any organization to maintain its ISMS, which in turn combines all the essential elements of information security management into an overall closed process.
The essential elements of an ISMS are:
- Guideline Management
Determination of the internal organizational regulations concerning information security, taking into account existing legal and regulatory requirements.
- Awareness and Training program
The implementation of awareness-raising and training activities
- Risk Management
Identification, evaluation, and handling of existing security risks by appropriate organizational and technical security measures.
- Audit Program
Planning and execution of system, process, and product audits as well as security analyses (penetration tests).
- Key Performance Indicator (KPI) Management
Monitoring the implementation of measures and measuring the effectiveness of safety precautions and the state of maturity of safety processes.
- Security Incident Management
Review and handling of security incidents and critical security vulnerabilities.
- Emergency and Crisis Management
Definition and implementation of emergency preparedness and response, emergency drills, and emergency plans.
What Really Should Be Done
In the past few years, everyone, across all industries, made significant changes regarding data and data security. Just a few years back, most of the personal data were stored offline in ring binders or paper notebooks. Nowadays, personal data made the transition to electronic devices and sometimes online services. We use smartphones, tablets, laptops, and smartwatches to store information in cloud-based services across the globe.
Of course, there are consequences when it comes to securing data—especially personal data, which is the most vulnerable and valuable kind of data. Since technology is always evolving, we need to check our efforts to secure data in much shorter intervals. Again, the PDCA model comes in very handy for this endeavor.
The first thing, and, therefore, the key to protection, is access to this information and assets. That starts with the access possibilities to buildings and premises. Even more important is access to systems, data, and information. An ordinary risk analysis will always show the same result. If you assume that the economically justifiable technical possibilities have been exhausted, the employee’s mindset remains—awareness of possible hazards or attack routes for potential criminals need to be made aware. There are, of course, ways to deal with certain issues, such as locked buildings and rooms, or even locking laptops in secure places at the end of the workday.
Sure, this will have a positive impact on security, but at what cost? Locking laptops would ultimately restrict the daily work process and make people feel uneasy and maybe even annoyed. Ultimately, the better way to go is to change your employees/colleagues mindset by continually communicating the issue of information security. This starts with training on the job, as well as even blog posts like this one about this topic. It must be clear to everyone involved that carelessness and recklessness can damage or lose valuable information without being noticed in time. Awareness of the importance of information security to your business success must be part of the corporate culture.
Besides the apparent advantages your business can generate from this new mindset, there is also a competitive advantage to set you aside from your competitors—your customers and partners know your company’s mindset on this issue and put more trust in you. Admittedly, this is nothing to be achieved in a short-term, but a long-term commitment from everyone involved.
There is no point in implementing a great ISMS system when the people within the company do not care for it. In my opinion, the right mindset can save you a lot of money and gain you prestige with your customers and partners.