An Information Security policy guides data collection, storage and processing by an organisation. The policy’s purpose is to provide direction and support for Information Security and outline how to implement and monitor compliance.
Regular Information Security awareness training is a must to avoid gaps in knowledge that can lead to mistakes. Training should apply to all staff, including temporary, locum or contract workers, so they’re fully aware of and fulfil their data security responsibilities.
Restricting access to premises and equipment helps prevent unauthorised use, damage and manipulation of secure personal data. Examples of physical access controls include ID cards or pin pads, alarms and CCTV, to name just a few.
A clean or clear desk policy asks staff to remove and lock away paper records, external storage (such as USB sticks) and portable devices (external hard drives) when not in use.
It’s essential to have a clear view of business systems, where data is held, who has access to it and how to protect it against unauthorised use. An asset inventory requires all hardware and software to be identified and classified to establish security compliance accountability. Assets include all office or home-based equipment used to store or process personal data.
Your Information Security policy must include adequate security measures for remote working. This includes risk assessment of using mobile devices and assigning authority to work remotely.
Strong passwords or passphrases are unique. They have more than 7 characters, combine letters (or words), numbers and a special character. It's also recommended to update them regularly. Two-factor authentication (2FA) is a second verification of an account owner used to complete a login attempt. Typically a verification code is made available via an authenticator app or text message used with a username and password to access systems or software applications.
Malware can infect computers via several unsuspecting sources. Email attachments, websites and removable media are the most common. Your organisation should have malware protection software to scan networks and systems for threats. It must be kept up-to-date and staff educated about the risks of opening attachments from unknown sources.
Your organisation should routinely backup personal data to restore information in the event of an attack, system failure or natural disaster.
Ethical cyber-specialists carry out penetration tests to try and exploit weaknesses in IT systems. Any potential system vulnerabilities can then be found and fixed to help you better safeguard information.
When selecting third-party suppliers to capture, process and/or store personal data for your organisation, it's vital to regularly audit and validate their Information Security credentials. Your due diligence might include checking the certifications they claim to have are valid, and visiting their premises to make sure their standards meet or exceed your expectations.