A Risk Based Approach to Data Security

The Why, What and How of Data Security

Information Security practices protect the assets of an organisation through the implementation of managerial, technical and operational controls; these assets must be managed appropriately to reduce the risk of financial loss – just as financial assets are managed through financial departments and human assets are managed and cared for by the human resources department and associated code of conduct and employment policies and practices.

Failure to protect the information assets from loss, destruction or unexpected alteration can result in significant losses or productivity, reputation or finances (Information Commissioner’s Office / Data Protection Act 2018). Information is an asset that must be protected, as well as software and hardware, which support the storage and retrieval of the information

The primary focus for the information security is to ensure the confidentiality, availability and integrity of the information.

Each business will be different as they operate within different industries with different threat profiles, so audit and analyse what data you hold, why you hold it and how long you intend to hold it for.

Map out where data is held (cloud, laptop, servers in-house etc) and where the backup data is stored / secured

You cannot achieve 100% security – you can only protect to you best efforts; install security measures across data sets in a ‘layered’ manner – many small layers are the most effective, especially if one or two are compromised – there are still some ‘layers’ remaining..

Security management is the glue that ensures the risks are identified and an adequate control environment is establish to mitigate the risks. it ensures the interrelationships among assessing risk, implementing policies and controls in response to the risks, promoting awareness of the expectations, monitoring the effectiveness of the controls, and using the knowledge as input to the risk management.

Analyse what you have and why you are storing it,  apply ‘data classification’ rules to the data sets and ensure that each level of ‘data classification marking’ is protected with the relevant controls and levels of security.

Document and employ sensible and enforcible ‘security policies’ across the business; enforce them and ensure the correct levels of protection for each ‘classification’ of data.

Review your data security every six months as a minimum

Current UK Legislation & Director Responsibilities

Current UK Legislation is a complexed area BUT must be fully understood by the directors and the employees; a good place to start would be with the ‘Information Commissioner’s Office (ICO)‘ in the UK.

The ‘General Data Protection Regulation (GDPR)’ was adopted into the UK Data Protection Act in 2018 and the ICO has a huge amount of practical advice and guidance – if you hold data you need to register the company with the ICO on an annual basis

Be aware of your legal responsibilities when holding personal data and be aware of a subject’s (person etc) rights of how that data is used and for how long you intend to keep it;

The ICO could fine the company up to a maximum or 4% of your annual turnover depending on the nature of the breach offence

Have documented and tested routines in place to deal with ‘Subject Access Requests’ (30 day response required) – AND – ensure you have Incident response plans – created & tested – in case you suffer a data breach.

Data security must be actively promoted and supported by senior management

Security Awareness training should be available (if not compulsory) for all staff; training should be re-addressed every six months

Regular backups of data that have been tested to restore correctly

Vulnerabilities, Risk, Threats & Impact