Information Security For Business

How Do I Provide Security Solutions?

If your home risk assessment has identified a high level of risk when your house is empty, you may decide to install a burglar alarm.

You will then have to decide on the best type of system to meet your needs and identify a reputable supplier who can provide you with an effective, affordable system.

Similarly, in your organisation these risk assessment principles should be used to help you decide on the appropriate level of protection.

We looked at assessing security risks in the section 'What security do I need?' In this section you will find advice on how you can provide security solutions to help reduce your level of security risk.

A good starting point is the ten key controls in BS 7799. Compliance with these controls will go a long way towards providing your security solutions. We will now look at how to implement the ten key controls.

Information security policy document.

The section 'How do I develop my security policy?' provides advice on this.

Allocation of information security responsibilities

The section 'What roles and responsibilities should I consider?' covers this.

Information security education and training

You should provide all users, including managers, with appropriate training. This should include specific controls and procedures as well as ensuring that staff understand why security is important, what your policy is, and their own responsibilities.

Reporting of security incidents

You will need to provide guidance on the actions that should be taken following an incident, including how these should be reported. This topic should be included in your policy and your education and training programme.

Virus controls

There are two aspects to this control. You should produce a policy forbidding the use of unlicensed and unauthorised software. Secondly, you should use anti-virus software from a reputable supplier on all your PCs and networks.

Business continuity planning process

You will need a process to develop and maintain business continuity plans. You will find that the identification of your security risks that were discussed in the section 'What security do I need?' will help you to identify the vital business functions that you would need to maintain following a disaster.

Control of proprietary software copying

You will need to ensure that the legal restrictions on the use of copyright material are understood and implemented. You should introduce a policy requiring all staff to comply with software licences.

Safeguarding of organisational records

You will probably find that you are doing much of this as part of your compliance with The Companies Act. You should, however, ensure that organisational records held on a computer also comply.

Data protection

Personal information that is stored or processed on a computer must be registered under the Data Protection Act. Further advice is available from the Office of the Data Protection Registrar on: 01625 545745.

Compliance with the security policy

You will need to review your organisation to ensure ongoing compliance with the requirements of your policy. Your information security policy will provide an overall direction for your organisation.

You will need to support it with standards that set minimum levels and procedures on how to implement these standards.

The next section 'What further help is available to me?' provides details of how to obtain further advice.

Copyright: The content for Information Security for Business is based upon information published by the Department of Trade & Industry and is reproduced in accordance with Crown Copyright