Information
Security
What is information security?
Information security is the set of preventive, detective, repressive and corrective measures as well as policies, procedures and processes which guarantee the availability, exclusivity and integrity of all forms of data and information within your organisation. The aim is to prevent security incidents and, if they do occur, to minimise their impact on your organisation.
Which precautions are relevant for your organisation depends on various factors such as the type of organisation, the market in which your organisation operates, the contractual obligations you have entered into, applicable laws and regulations and the risks your organisation wishes to take and/or avoid.
Objectives of
Information Security
- Ensuring information security requirements throughout the supply chain.
- Prevention of incidents.
- Prompt detention of incidents.
- Effective incident response.
- Learning from mistakes
Your data and that of your customers properly secured in accordance with ISO 27001 and GDPR!
-Increase your resilience-
Why is information security important to your organisation?
Do you know which data is crucial for your organisation and your services? Do you know how the data flows within your organisation’s processes?
Do you know which parties have access to your data and how they handle it? Are you aware of the risks to your data within the entire supply chain?
In today’s 24-hour information society, your organisation cannot (or can no longer) be effectively managed without adequate information that is correct, complete and available to the user on time. In addition, customers and suppliers are making increasingly higher demands on the security of company and customer information. Laws and regulations (such as the General Data Protection Regulation) are becoming increasingly stringent.
As an organisation, you are ultimately responsible for protecting the data entrusted to your organisation. If you have not taken the right measures to adequately secure data, this can lead to image damage, loss of customers and market share, possible fines or even lawsuits.
Benefits of a solid information security policy for your organisation.
Customer loyalty – Existing customers notice you take the right measures to protect your and their data. You react quickly and effectively to incidents and take measures to prevent such incidents in the future. As a result, customers consider your organisation to be a reliable partner with whom they are happy to continue doing business.
Successfully obtaining new orders – More and more partners, suppliers and (potential) customers demand of the parties they want to do business with to take information security seriously. Before a third party enters into a new partnership with your organisation, this party wants to know in advance how your organisation has ensured information security. If this does not meet expectations, your organisation may not qualify for the new assignment and you may miss out on potential revenues
In case of disaster
A security incident, such as a hack or a data leak, can have far-reaching consequences for your organisation and management.
Effective use of your assets – A solid information security policy is based on the risks to which your organisation is exposed and the consequences of which you wish to avoid. By focusing on the risks which would really affect your organisation, you can prioritise your resources accordingly. This prevents unnecessary costs and increases the effectiveness of your own organisation.
Preventing unnecessary damage – By aligning your information security measures with existing contractual agreements with partners, customers and relevant laws and regulations, you comply with all your chain obligations.
This prevents unnecessary damage to your image, your brand and any possible fines or legal disputes.
Competitive advantage – All the above benefits help to strengthen your strategic position. By obtaining the ISO 27001 certificate or having an independent (technical) audit carried out by a certified party, you are demonstrating to have your affairs in order! Zie ook: What we can do for you
Information security is first and foremost a cultural change!
-Know where you are-
Important aspects when implementing an information security strategy
When developing and implementing your information security strategy, you should consider the following aspects:
What requirements do you need to meet?
Know what requirements your organisation must meet with regard to information security! What requirements do your customers, business partners and government set? How do these requirements translate to measures in the area of human resources, processes and technology?
Which risks really count?
What are the rules within your organisation for securing and protecting company assets? Do these rules also apply to external parties who also have access to your data or even process your data on their own systems?
Define and maintain your own policies
Wat zijn de interne regels met betrekking tot het veilig stellen en beschermen van bedrijfsmiddelen? Zijn deze regels ook van toepassing voor externe partijen die ook toegang tot uw data hebben of zelfs uw data verwerken op hun eigen systemen?
Training and Awareness of Staff
“The weakest link in the company is between the keyboard and the chair”. 70% of information security incidents are caused by human action. Make sure the right people get the right training. The rest of the organisation should be familiar with your policies. Your people should also take it into account in their daily activities. Training and awareness are only useful if they contribute to behavioural change among the people who are working with your data.
The chain is as strong as its weakest link
Which activities have you outsourced and what information security requirements have you specified in the contracts with these parties? The more important the activity is, the more concrete the agreements should be. This is to prevent future legal issues. Therefore, make good agreements in advance that show what requirements you set for the information security of your suppliers.
Evaluate, learn and improve
Ensure you regularly evaluate all agreements and implemented measures for compliance and effectiveness. Measures already implemented should be checked regularly for availability (does the measure still exist?), completeness (does the measure still cover the right scope?) and effectiveness (does the measure contribute to reducing the identified risk?) The world does not stand still, neither does your organisation, and certainly not malicious parties. So take every learning moment, including a crisis, to heart.
-The possibilities-
This is what we can do for your information security strategy
Information security is a broad subject area. It is therefore impossible to indicate whether and what we can do for your challenges within the discipline of information security. In the table below, we list a few possibilities that we hope will inspire you and lead to a further acquaintance.
Your wish
Our added value
Do you want to analyse your information security risks?
Option 1: To entirely document, implement and execute the risk management process.
Option 2: Facilitate and supervise the risk workshops.
Option 3: Translate your defined risks into concrete and effective continuity measures.
Do you want to create or update your information security policy?
Option 1: We write the entire information security policy and tailor it to and with your organisation.
Option 2: We write policy documents that require more specific knowledge.
Option 3: We can analyse your existing security policies and provide you with recommendations on how to improve them.
Would you like to make clear agreements with one or more (important) partners or suppliers regarding information security?
Option 1: We participate in the conversations regarding contractual information security requirements.
Option 2: We screen and review the potential agreements you wish to make before officially signing the contract.
Option 3: We screen your partner or supplier for compliance with the contractual agreements already made.
Would you like to bring about a change of behaviour within your organisation regarding information security?
Option 1: We facilitate workshops in which we discuss specific topics relevant to your organisation and tailored to the goal you wish to achieve.
Option 2: We prepare awareness materials which your organisation can use to support its own awareness campaign.
Option 3: We can provide specific (in-company) training to help you effectively roll out your information security strategy. Also refer to our page with training.
Would you like to hire (temporary) knowledge and experience to implement measures?
Option 1: We can temporarily or semi-permanently perform the role of CISO / Privacy Officer / Security Officer.
Option 2: We can participate as experts in your projects within the field of information security and support your project team with the implementation and securing of measures.
Option 3: We can become part of your security department and help it to achieve its objectives.
Would you like a certificate from an independent party regarding the correct compliance and/or effectiveness of your policy and/or (part) of your information security measures?
Option: We execute an assessment or audit on the scope determined by you with the policy, norm, standard or legislation and regulations chosen by you as reference. Refer to Compliance and Audits for possible standards and scope.
Do you want to obtain a certificate?
Option: We can guide your organisation towards obtaining ISO 27001 certification or another standard such as NIST or CSA.
Relevant standards and legislation
The table below lists a number of important standards, industry best practices and laws and regulations which may be relevant to your organisation and with which Triple A Security has knowledge and experience. If you would like guidance in implementing one of these standards, please contact us without obligation.
ISO 27001
The ISO 27001 standard describes how information can be secured in a process-oriented way. In the context of this standard, that system is called ISMS (Information Security Management System)
NIST (National Institute of Standards and Technology
NIST (National Institute of Standards and Technology) is an institution under the American government which is committed to standardisation. For cybersecurity, the NIST has also drawn up a series of guidelines for companies to follow in order to be better prepared against cyber attacks
GDPR
Since 25 May 2018, the General Data Protection Regulation has been applicable. This means the same privacy legislation applies throughout the European Union (EU).
More information:
The NIS- directive
The NIS Directive (Network and Information Security Directive) is a European directive and aims to bring unity and coherence to European policy for network and information security.
Providers of essential services as digital service providers within an EU Member State should take appropriate measures to manage security risks and to prevent and minimise the consequences of incidents and should report serious incidents to the national competent authority or the CSIRT (Computer Security Incident Response Team).
PCI DSS
PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS imposes requirements on the processing, transmission and storage of credit and debit card details. Fines and compensation can be demanded in the event of a data breach if your organisation has not verifiably complied with this standard.
.
IEC 62443
The IEC 62443 is the international cybersecurity standards framework for the Operational Technology (OT) and securing Industrial Automation and Control Systems (IACS).
More information: IEC 62443
OWASP
Websites and web applications process a lot of important information every day.
The Open Web Application Security Project (OWASP) is an open-source project on which security experts work continuously to keep the list up to date with the most common security flaws.
More information: OWASP
CSA
CSA stands for Cloud Security Alliance. This is a non-profit organisation that puts the safety and security of the cloud and cloud services first.