Good Information Security governance is always on the mind of IT and cyber-security experts. But, as a manager, director or leader in another department, data security may take less of a priority. If looking for Information Security for managers, reading this article will help refresh your knowledge of the subject in just 6 minutes.
Unfortunately, cyber-crime is always active. It doesn’t wait for the IT team threat management update. In fact, statistics from the Cyber Security Breaches Survey 2021 reveal that 65% of medium size and 64% of large businesses reported cyber-security attacks or breaches in the last 12 months. And this has been exacerbated by the pandemic: with more personnel working remotely.
Today, personal data is used across hundreds of platforms, 24/7/365. Passwords and financial information are valuable commodities to cyber-criminals. It has never been more paramount to protect confidential personal data and documents from unauthorised access.
Information Security for managers
At Datagraphic, Information Security underpins our organisation – we’ve continuously held ISO 27001 certification since 2006. We process data daily for clients to generate their outbound customer, employee and supplier communications.
We’ve found over the years that the level of Information Security knowledge in organisations varies hugely. In many cases, teams match our enthusiasm and dedication to keeping data secure. They ask to validate our credentials through security questionnaires and guided site visits. But, we also meet people who haven’t been through this process with incumbent suppliers before.
We don’t profess to be industry leaders in this subject, so this article isn’t aimed at cyber-security experts. But, we’ve had decades of meeting the highest Information Security standards. So, we’re sharing some of that knowledge to help non-technical managers, directors, and department heads.
Actively managing Information Security
Every organisation should create, approve and publish an Information Security policy. If you haven’t read your organisation’s policy for a while, it’s the place to start.
An Information Security policy guides data collection, storage and processing by an organisation. The policy aims to provide direction and support for Information Security and outline how to implement and monitor compliance.
The policy should help you understand the data you hold in your department and provide insights into improving its care. Knowing what’s in the latest policy will also help you answer questions from your organisation’s Information Security team.
From time to time, you may be required to help review any personal data and processes to identify potential risks. This helps your Chief Information Security Officer (CISO) – or Information Security leader – gain a holistic view across the organisation. They can then implement controls to mitigate risks to the Confidentiality, Integrity and Availability (CIA) of information stored, processed and transmitted.
Building a security-first culture
When did you and your team last complete Information Security awareness training? Cyber threats and data processes aren’t static. A lack of training and awareness can create weaknesses for cyber-criminals to exploit.
As hybrid working increases, it’s even more important that people who access personal data understand your security measures. Everyone in the organisation needs to know how to access and process data safely from wherever they work.
Information Security awareness training should therefore apply to all staff, including temporary, locum or contract workers. It’s also a key question to ask suppliers. When assessing their credentials, check they regularly train all staff processing your data too.
We’ve written more on staff training and cover in Information Security briefings in our Guide: Optimising Information Security.
But, awareness shouldn’t stop in the training room. Try to regularly circulate intranet articles, policy libraries, team briefings and posters to maintain awareness levels.
To help, we’ve put together this download – 6 ways you can help improve workplace data security, for you to share with your team.
Protecting data on-premises
Your Information Security policy will also cover physical access to premises and equipment. To prevent unauthorised use, damage and manipulation of secure personal data.
Think carefully about where data is held and who has access to it:
- Are there visible access controls, such as ID cards or pin pads and surveillance alarms, CCTV?
- If your organisation permits visitors, is it by appointment only, and do they sign a non-disclosure agreement (NDA)?
- Do you have internal data servers, and are they in a separate room with restricted access?
It’s essential to have security arrangements to prevent loss, damage, theft or the risk of compromise of data.
Are you a manager or department leader with a team that processes customer or employee data?
Put your Information Security knowledge to the test with our quick quiz.
Security on systems and networks
With increasingly globalised working, it’s essential to have a clear view of business systems. Where data is held, who has access to it and how to protect it against unauthorised use.
Many organisations’ Information Security policy appoints ‘owners’ of data-sets with responsibility for the everyday security and use of business systems.
If you’re a data owner or team leader that keeps a data-set for processing, there are things to consider. Examples include keeping data protected on systems and networks, home and mobile working procedures, password security, penetration testing and more.
Penetration tests: when organisations employ ethical cyber-specialists to try and exploit weaknesses in IT systems, so they can be found and fixed.
We can’t do justice to this comprehensive topic here. But, you can read five pages of information in our Guide: Optimising Information Security.
Preparing Plan B – Business Continuity
While an Information Security policy for daily operating conditions is vital, what happens if circumstances change suddenly?
A strong approach to data security minimises risks and highlights potential vulnerabilities even when invoking a business continuity plan. It’s about protecting data and mitigating any disruption to your organisation.
It’s vital to identify, test and implement controls that can significantly reduce the threat to data availability should Plan B be actioned.
Information Security standards with external partners
Information and processes no longer exist solely within an organisation. Increasing global mobility, remote working and lean organisations have led to outsourcing entire business functions to third-parties and external partners.
These providers should not lie beyond the remit of your Information Security policy.
Due diligence when selecting third-parties is vital. Information security questionnaires and on-site audits of the provider’s premises are good examples. These validations will check your proposed provider’s claims and certifications meet the standards you expect.
To safeguard critical information, written agreements should also be in place with all third-party service providers and processors. These agreements help protect any personal data that they access and process on your behalf.
Information security is a comprehensive topic. But risks to data can be managed with regular review, a security-first culture and protection of your networks and systems.
In summary, it’s important to remember:
- Information Security is not a nice-to-have; it’s essential for every organisation involved with data transfers, processing or storage
- A sound Information Security methodology covers all data, people and processes which use and access systems
- Information Security is a holistic consideration and applies to internal structures and third-party suppliers
More information on Information Security for managers, directors and leaders is available to download in our Guide: Optimising Information Security.
Datagraphic helps teams securely automate their outbound communications in digital and physical print formats. With over 30 years of experience, we’re at the forefront of multichannel communications. We produce and distribute data-driven, customer, employee, and supplier-facing documents automating our clients’ workflows to deliver digital transformation.
Our team are fanatical about Information Security. They not only comply with recognised standards such as ISO 27001 & C&CCC Standard 55 but pro-actively manage the safety of all data and documents. To learn more, please get in touch.