Are you a manager or department leader with a team that processes customer or employee data?
Check your knowledge of Information Security with this quick quiz.
Does your organisation have an Information Security policy that's regularly reviewed?
An Information Security policy guides data collection, storage and processing by an organisation. The policy’s purpose is to provide direction and support for Information Security and outline how to implement and monitor compliance.
Do all staff have regular Information Security awareness training?
Regular Information Security awareness training is a must to avoid gaps in knowledge that can lead to mistakes. Training should apply to all staff, including temporary, locum or contract workers, so they’re fully aware of and fulfil their data security responsibilities.
Do you restrict physical access to premises and equipment?
Restricting access to premises and equipment helps prevent unauthorised use, damage and manipulation of secure personal data. Examples of physical access controls include ID cards or pin pads, alarms and CCTV, to name just a few.
Do you have a clean desk policy so confidential information is not left exposed?
A clean or clear desk policy asks staff to remove and lock away paper records, external storage (such as USB sticks) and portable devices (external hard drives) when not in use.
Do you have an asset inventory, to show where data is held, who has access to it and how it's protected?
It’s essential to have a clear view of business systems, where data is held, who has access to it and how to protect it against unauthorised use. An asset inventory requires all hardware and software to be identified and classified to establish security compliance accountability. Assets include all office or home-based equipment used to store or process personal data.
Do you have a policy for remote working that includes Information Security?
Your Information Security policy must include adequate security measures for remote working. This includes risk assessment of using mobile devices and assigning authority to work remotely.
Are staff trained to use strong passwords and two-factor authentication (if available)?
Strong passwords or passphrases are unique. They have more than 7 characters, combine letters (or words), numbers and a special character. It's also recommended to update them regularly. Two-factor authentication (2FA) is a second verification of an account owner used to complete a login attempt. Typically a verification code is made available via an authenticator app or text message used with a username and password to access systems or software applications.
Is malware protection software active on all IT systems?
Malware can infect computers via several unsuspecting sources. Email attachments, websites and removable media are the most common. Your organisation should have malware protection software to scan networks and systems for threats. It must be kept up-to-date and staff educated about the risks of opening attachments from unknown sources.
Do you take daily system-level backups?
Your organisation should routinely backup personal data to restore information in the event of an attack, system failure or natural disaster.
Do you employ ethical cyber-crime specialist to highlight weaknesses in your IT systems?
Ethical cyber-specialists carry out penetration tests to try and exploit weaknesses in IT systems. Any potential system vulnerabilities can then be found and fixed to help you better safeguard information.
Do you regularly audit third-party suppliers to confirm their data security standards?
When selecting third-party suppliers to capture, process and/or store personal data for your organisation, it's vital to regularly audit and validate their Information Security credentials. Your due diligence might include checking the certifications they claim to have are valid, and visiting their premises to make sure their standards meet or exceed your expectations.