Huge reputational damage can be caused by a hacking incident or any other incident involving data loss. Yet cyber security is not always discussed at senior management or board level. Worryingly a survey this year by the law firm Pinsent Masons revealed that only 33% of businesses felt they were well equipped to deal with cyber risk.
So where should we look for best practice? For many years now government departments and agencies have followed strict security guidelines. This is essential in order to protect public data as well as sensitive national data such as police and health records.
As consultants we are invited in by commercial companies to help them address such issues and we are often bemused by the attitude to information security we come across. So how do we learn from good practice in the public sector to be able to deliver the same standards-based approach to the commercial sector?
At the basic level it requires the creation of two key documents;
- A security policy statement covering all relevant services and data and addressing the assets that need protection;
- A supporting document which outlines the processes and controls that the organisation will maintain in order to protect the assets outlined in that security policy
Fortunately, neither of these things involves reinventing the wheel as this is exactly what ISO27001 delivers. ISO 27001 is the international standard for Information Security Management and is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. It uses a top down, risk-based approach to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
The business benefits of having ISO 27001 as an organisation are manifold. According to a survey conducted by the Rotterdam School of Management, those companies who have worked to gain the standard point to an increase in the quality of internal information security processes and procedures; a reduction in the level of risk; and increased external customer satisfaction.
Once your security policy statement is in place it is likely to lead to a baseline hardening in your approach to covering best practice security. A good starting point is joining the Center for Internet Security (CIS). CIS is a non profit organisation founded to foster and share security good practices throughout cyberspace.
Once everything is in place you will want to make sure it stays like this. This is made up of two aspects. The first is configuration management. Open source tools like Puppet and Chef can help here by ensuring configurations are maintained in a known secure state. Microsoft’s System Center and a myriad of other vendor products and tools will also perform similar functions.
The second aspect is monitoring and incident response. After all it’s no good having all these policies and procedures in place if security incidents pass undiscovered and unnoticed. Intrusion and anomaly detection devices and software are available as well as standard alerting tools. All of these should be done in compliance with part 2 of the policy outlined above.
Security is a process and an ongoing one at that. It is not a product or a point in time. Continual assessment of the risks that exist to your organisation and the data it holds are a must particularly as the nature of those risks is changing and evolving continually.
By Richard Ingram, Cloud Solutions Architect from public cloud consultancy SystemsUp (an iomart company)
If you would like help assessing your current security against good practice or would like to apply the same baseline approach to your environment, please get in touch via firstname.lastname@example.org