Smaller Firms Brian Spence
Information Security for a Smaller Firm ACA Members Conference 7th February 2013
Private and Confidential
Agenda
Introduction What is Information Security? Importance of Information Security Steps Taken Barriers The Future
Private and confidential
2
Introduction • Privately owned firm • Offices in London, Belfast, Glasgow and Dublin • 65+ employees • Two years developing information security strategy
Private and confidential
3
Information Security: What’s it all about? The practice of defending information (electronic, physical, etc...) from:
• unauthorised access
• perusal
• use
• inspection
• disclosure
• recording
• disruption
• destruction
• modification
Private and confidential
4
Information Security is the preservation of:
Confidentiality
Integrity
Availability Private and confidential
Ensuring that information is accessible only to those authorised to have access
Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorised users have access to information and associated assets when required 5
The importance of Information Security • Business survival depends on Information Security • Protect key business assets • Minimise financial loss • Ensure business continuity • Increase business opportunities • Protect reputation • Legislative requirements
Private and confidential
6
Managing Risk
Policy
High User Knowledge of IT Systems
Theft, Sabotage, Misuse
Virus Attacks
People
Technology
Systems & Network Failure
Lack of Documentation
Private and confidential
Lapse in Physical Security
Natural Calamities & Fire
Process
7
Steps Taken – People
Private and confidential
8
Steps Taken – People • Dedicated Information Manager • Supported by focus group - a cross section of staff from the different areas of the business
• BPSS (Baseline Personnel Security Checks) (CRB Checks) for all employees and sub contractors who have access to our systems
• Comprehensive Induction for New Starts and Contractors • Regular Staff Training and Awareness sessions • Information Security competencies integrated into staff appraisals • Assessment of information security awareness Private and confidential
9
Steps Taken – Processes and Policies
Private and confidential
10
Step Taken – Processes & Policies • Full review and upgrade of Information Security and Operational processes
• Key Processes include: • Physical & Environmental Security; Access Control; Human Resources Security; Business Continuity Management; Asset Management; Control of Documents and Records; Internal Auditing
• Key policies include: • Security & Confidentiality Policy • Remote Working Policy Private and confidential
11
Steps Taken – Technology
Private and confidential
12
Step Taken – Technology • Removal of data from laptops/desktops • Disabled memory sticks • Two-factor authentication • On-line backup • Revised BCP • BCP test/restore • Penetration testing • Logon Password strengthening (min. 15 Characters)
Private and confidential
13
Steps Taken – Physical & Environmental Security Considerations
Private and confidential
14
Steps Taken – Physical & Environmental Security Considerations • Access Controls (Visitor log, Staff and Keyholder roles and responsibilities) • Alarm Systems • Secure Storage (on and off site) • Office Layout • Clear Desk and Clear Screen Policy • Regular Confidential Waste Collection • Evacuation procedures and Simulations
Private and confidential
15
Lobby Refurbishment – Before
Private and confidential
16
Lobby Refurbishment - After
Private and confidential
17
Steps Taken: Risk Management • Staff encouraged to report potential risk scenarios or incidents • Risks considered and scored by focus group • Risk Treatment Plans approved by focus group
Private and confidential
18
Barriers
Private and confidential
19
Barriers • Resistance of staff to change • Cost • Resources • Knowledge and expertise • External suppliers
Private and confidential
20
The Future
Private and confidential
21
The Future • External and Internal auditing • Upgrade of telephony infrastructure • Secure document sharing improvements • Annual IT health checks • Continual review of internal processes • On-going training • Business Continuity testing and development
Private and confidential
22
Questions?
Private and confidential
23
Private and Confidential
Agenda
Introduction What is Information Security? Importance of Information Security Steps Taken Barriers The Future
Private and confidential
2
Introduction • Privately owned firm • Offices in London, Belfast, Glasgow and Dublin • 65+ employees • Two years developing information security strategy
Private and confidential
3
Information Security: What’s it all about? The practice of defending information (electronic, physical, etc...) from:
• unauthorised access
• perusal
• use
• inspection
• disclosure
• recording
• disruption
• destruction
• modification
Private and confidential
4
Information Security is the preservation of:
Confidentiality
Integrity
Availability Private and confidential
Ensuring that information is accessible only to those authorised to have access
Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorised users have access to information and associated assets when required 5
The importance of Information Security • Business survival depends on Information Security • Protect key business assets • Minimise financial loss • Ensure business continuity • Increase business opportunities • Protect reputation • Legislative requirements
Private and confidential
6
Managing Risk
Policy
High User Knowledge of IT Systems
Theft, Sabotage, Misuse
Virus Attacks
People
Technology
Systems & Network Failure
Lack of Documentation
Private and confidential
Lapse in Physical Security
Natural Calamities & Fire
Process
7
Steps Taken – People
Private and confidential
8
Steps Taken – People • Dedicated Information Manager • Supported by focus group - a cross section of staff from the different areas of the business
• BPSS (Baseline Personnel Security Checks) (CRB Checks) for all employees and sub contractors who have access to our systems
• Comprehensive Induction for New Starts and Contractors • Regular Staff Training and Awareness sessions • Information Security competencies integrated into staff appraisals • Assessment of information security awareness Private and confidential
9
Steps Taken – Processes and Policies
Private and confidential
10
Step Taken – Processes & Policies • Full review and upgrade of Information Security and Operational processes
• Key Processes include: • Physical & Environmental Security; Access Control; Human Resources Security; Business Continuity Management; Asset Management; Control of Documents and Records; Internal Auditing
• Key policies include: • Security & Confidentiality Policy • Remote Working Policy Private and confidential
11
Steps Taken – Technology
Private and confidential
12
Step Taken – Technology • Removal of data from laptops/desktops • Disabled memory sticks • Two-factor authentication • On-line backup • Revised BCP • BCP test/restore • Penetration testing • Logon Password strengthening (min. 15 Characters)
Private and confidential
13
Steps Taken – Physical & Environmental Security Considerations
Private and confidential
14
Steps Taken – Physical & Environmental Security Considerations • Access Controls (Visitor log, Staff and Keyholder roles and responsibilities) • Alarm Systems • Secure Storage (on and off site) • Office Layout • Clear Desk and Clear Screen Policy • Regular Confidential Waste Collection • Evacuation procedures and Simulations
Private and confidential
15
Lobby Refurbishment – Before
Private and confidential
16
Lobby Refurbishment - After
Private and confidential
17
Steps Taken: Risk Management • Staff encouraged to report potential risk scenarios or incidents • Risks considered and scored by focus group • Risk Treatment Plans approved by focus group
Private and confidential
18
Barriers
Private and confidential
19
Barriers • Resistance of staff to change • Cost • Resources • Knowledge and expertise • External suppliers
Private and confidential
20
The Future
Private and confidential
21
The Future • External and Internal auditing • Upgrade of telephony infrastructure • Secure document sharing improvements • Annual IT health checks • Continual review of internal processes • On-going training • Business Continuity testing and development
Private and confidential
22
Questions?
Private and confidential
23
