Practical guide to IT security

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday July 24, 2012 at 10:00am
The Information Commissioner’s Office has published a new PDF document entitled A Practical Guide to IT Security

Although the ICO has produced a variety of these helpful publications, this is a timely ‘aide memoire’ for SME’s throughout the UK, who need to start taking IT security and information security management more seriously. 

The Data Protection Act 1998 under the 7th Principle requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. 

Whilst this principle is well understood by those who read the Act, such as myself and other experts in information security management, appreciation of the implications are not widely understood by business owners and managers. 

The ICO’s Guide, available on their website, sets out basic measures that should be adopted, starting with a risk assessment to establish the level of security needed. 

The guide usefully advocates a ‘layered’ approach to establishing the correct regime. 

It suggests the second step should be an examination of physical security. This may include secure premises, CCTV monitoring, access controls, secure storage areas and so on.

Then the guide focuses on intrusion defences, systems to prevent successful penetration of your IT networks. This can be done by ethical penetration tests, performed by CHECK or CREST approved agencies.

Access control is given a particular focus, and rightly so. How many small companies have a formal system for access granting and withdrawal of their IT systems and applications for example?

The creation of simple Policies for addressing Data Security and Data Protection is also advocated. It is amazing on my travels, how many small businesses do not have such policies. How can you comply with the Data Protection Act if you have not set out the basic requirements within your business?

Securing data on the move is covered, for perhaps obvious reasons. Some of the most recent major data losses have involved laptops, with large amounts of personal data, which have gone missing. Such equipment should be ‘risk assessed’ and where appropriate good encryption software applied.

Finally, there is a salient section on the use of IT contractors. Many small organizations have informal contracts in place with ‘one-man’ band IT establishments. There is nothing wrong with this, but how well codified are these agreements? Do they address Data Protection and IT Security? Have you ‘risk assessed’ your IT contractor, what procedures do they deploy to minimise data loss and comply with the DPA 7th Principle? 

Whether you choose to take a formal approach , for example going for ISO27001 Compliance, or simply apply good general management practices, the ICO Guide is a useful starting point for any business owner concerned about IT and data security.

Marcus Allen

ISO 27001 Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here