Under recent new laws that came into place, the Information Commissioner’s Office (ICO) can now fine businesses up to £500,000 if they are found in breach of the data protection act.
The legal requirement to follow the Data Protection Act combined with the very real threat of a hefty fine and negative publicity should now make information security a clearly defined business risk and a key focus for all senior managers.
In response to this issue BSI continues to work with industry and government to develop a series of standards and targeted training courses. These initiatives are designed to help UK businesses, regardless of their size and sector, develop and implement effective information security management activities.
Two standards which help organisations achieve this are ISO 27001 (information security management) and BS 10012 (data protection). These standards are supported by respective training courses to help organisations understand the risks associated with information security breaches.
“Data protection could refer to the transfer of information to a third party, failure to hold information securely or simply the neglect of legal obligations,” explains Mike Bailey, Director for BSI Training. “Employees need to consider the risks when they make a phone call or open their laptop on the train; do they really know that the person sat next to them is not a competitor? The security of sensitive company data must be at the top of every business agenda; particularly in the current climate where measures such as management system standards, can be put in place to minimise the risks”.
Loss of data is one of the biggest threats facing modern organisations today but Bailey believes that there are a number of positive steps that an organisation can take to minimise the risk against data security breaches.
Update security policies – businesses must take this seriously and ensure that any security policies are up-to-date and in line with current business requirements and that they comply with any relevant laws and regulations.
Review HR security – taking into account the security of the HR department is crucial in ensuring that all staff, both during employment and after termination, are part of the information security process.
-Look at the physical security of your environment – buildings, locations and equipment should all be adequately secured in a way to prevent unauthorised access, damage and interference.
-Review communications and operations management – important company information must be treated properly, backed up correctly and handled securely to the highest standards.
-Create an access control policy – access to sensitive information should be controlled carefully to prevent unauthorised access, possible damage and theft.
-Management of information security incidents – this will ensure that data security events and weaknesses are communicated consistently in a manner that will allow corrective action to be taken as quickly as possible.
-Business continuity management – This area will cover all business activities and will aim to protect critical business processes from the effects of major failures of information systems or disasters.
-Make sure you are compliant – this will ensure that there is compliance without adverse affects on information security and will help to avoid any breaches of law, regulation or contractual obligations.
-Train your people – ensuring that employees are properly trained in areas such as information security management is vital if organisations are to successfully reduce risk and implement change.
“Once all of these areas have been identified and actioned it is important for businesses to manage any threats against these areas, for example, locking filing cabinets after use, backing up data or reviewing access control policies. Producing a framework for continual improvement is essential to ensure that any changes in business practices do not affect the ongoing security improvement programme,” concludes Bailey.