Security is often seen as a bolt-on, something to be added to, or overlaid onto your IT systems. This approach leads to security being talked about in terms of products and services – Network Security, Firewalls, Anti-virus etc.
Our approach to security starts with the belief that it runs throughout the entire organisation; it should be part of your DNA. It’s often said that IT is about enabling people. If your approach to security is to add it to your IT systems as an afterthought, then it can often be disabling. If you bake it into your organisation, we believe it can empower people.
Is Security really an IT Issue?
At Macnamara we believe that you’re not secure unless the idea of Security is embraced by the whole organisation.
Macnamara includes Cyber Essentials as part of our standard Managed Service offering. Cyber Essentials is the nationally recognised Government scheme that helps businesses protect themselves from fraud and Cyber Attacks. It’s definitely the right place to start, but it’s a point in time snapshot and doesn’t mean that you’re now secure. This is because there’s no requirement for ongoing checks. By having CE as part of our Managed Service, we provide that continuity.
Cyber Essentials Plus is the next logical step. CE+ takes things further by requiring separate technical validation. Again, we provide this, but we won’t put you forward for it unless we’re sure that you understand what it means and are willing to adhere to the guidelines. This is why we only accredit and certify companies in Cyber Essentials that are already working with us. We don’t offer it as a separate stand-alone service.
CE is a good starting point, but it only addresses the technical aspects of security: Are your machines properly patched? Is your Firewall configured correctly? Do you run Anti-virus? All of these are important, but Security isn’t just the domain of IT.
Business & Information Security
To bake Security into your business and move toward true Business and Information Security, you need to implement: Policies, Training and awareness, and Compliance. To take this approach is to recognise not only the importance of Information Security, but the fact that it’s not a product or solution that’s implemented once, it’s a process that is and should be on-going. Furthermore, it’s an ethos that runs throughout the organisation.
Our approach mirrors the IASME Governance Model. The standard includes all five Cyber Essentials technical controls and adds additional topics that mostly relate to people and processes:
- Risk assessment and management
- Change management
- Training and managing people
- Incident response and business continuity
The starting point is a full assessment of your business. This helps us both to understand where we are, but perhaps more importantly, where you’d like to be.
Not all businesses are the same and therefore not all businesses are required to be fully compliant to the highest level or standards. We need to understand what’s appropriate so that you’re not striving for ISO27001, when Cyber Essentials Plus is what’s needed.
The results of this assessment are then discussed, and a plan can then be agreed.
Creation of a single overarching Information Security policy is drawn up and signed by the MD or CEO. This will include a short clear statement about your commitment to information security and specify roles and responsibilities.
This policy is then be broken down into various areas, each with their own clear statements, for example:
- Data retention
- Business continuity
- Data protection
- Email and internet access
- Home working
- BYOD & mobile device management
- Asset management
- Password, encryption, and admin rights
- Security incident response
- Backup and archiving
These policies on their own will not achieve a significant improvement in your information security posture, but by accompanying each one with a clear set of procedural instructions on how to give effect to its objectives, a major improvement in security will be achieved.
For example, if the Password, Encryption and Admin Rights Policy specifies that all emails containing personal information must be encrypted, the accompanying procedure should point to the data protection policy for a definition of personal information and give clear precise instructions on how to encrypt an email.
Compliance and Baselines
This approach allows us to create a security baseline and a compliant framework under which your organisation operates. We can then extend this security baseline to include technical baselines for your IT assets. A good example of this is the devices you use to access your data. The policy may indicate that all devices must be encrypted#, to protect against access to your information if they are lost or stolen. E.g.
- Windows 10 – Enable BitLocker
- Mac OS – Enable File Vault
- Android and iOS Devices – Enable native encryption
Implementing security enabled technical baselines creates compliant systems and software, which in turn allows your staff to be productive. They can carry out their day-to-day tasks safe in the knowledge that they can securely access the right information, from the right sources, using the right devices, from any location.
This is what we mean by Information Security!
We realise that our approach isn’t for everyone. But if what we’re describing makes sense then it’s probably worth us exploring it further.
Start by engaging us to carry out our GDPR and Security Assessment. Once this is completed you can either choose to carry on the engagement and have us implement, manage, and support the recommendations ongoing. Or alternatively, use it as a standalone independent audit.