Every technology-driven business process is exposed to security and privacy threats. Modern technologies are capable of preventing cybersecurity attacks, but these aren’t enough, organizations must ensure that business processes, policies, and workforce behaviour minimize or mitigate these risks.
What is an ISMS?
ISMS (ISO 27001) is an International Standard has been given by International Standards Organization (ISO) to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization.
How to Implement an ISMS?
This International Standard adopts the “Plan-Do-Check-Act” (PDCA) model, which is applied to structure all ISMS processes. ISMS takes as input the information security requirements and expectations of the interested parties and through the necessary actions and processes produces information security outcomes that meets those requirements and expectations.
The PDCA Model:
- Plan – Identify the problems and collect useful information to evaluate security risk. Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities.
- Do – Implement the planned security policies and procedures. The implementation follows the ISO standards, but actual implementation is based on the resources available to organization.
- Check – Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioural aspects associated with the ISMS processes.
- Act – Focus on continuous improvement. Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
How Geninvo Implemented an ISMS?
- Organization Security Policy: Security Policy defines the process/approach of Geninvo towards establishing and implementing information security measures, adopting the industry best practices/regulations such as the ISO270001 security standards and GDPR.
- Human Resource Policy: Security roles and responsibilities of employees, contractors and third-party users shall be aligned with organization’s information security policy.
- Physical and Environmental Security: Organization’s sensitive information processing facilities is housed in secure areas. Physical or System Security protection is implemented to safeguard the information data against natural and man-made disasters.
- Equipment/System Security: Equipment’s/ System shall be protected to reduce the risks from environmental threats and unauthorized access. Power and telecommunication cables shall be appropriately protected from interception or damage.
- Communications and Operations Management: Management and operations of all information processing facilities shall be controlled to reduce the risk of negligent or deliberate misuse. Services delivered by third parties shall be managed according to Organization’s information security requirements.
- Mobile Computing Policy: Appropriate security measures have been adopted to protect mobile computing facilities. Personnel are trained on the usage of these facilities in public places and when connecting to networks.
- Business Continuity Management: A business continuity management process has been implemented to minimize the impact on the Organization and recover from the loss of information assets to an acceptable level. Business Continuity plan has been developed and implemented to ensure the timely resumption of critical functions.
- User Access Management: Allocation of access rights to information systems, network and services is controlled. User is made aware of the responsibilities for maintaining effective access controls.
- Security Requirements in Application: Appropriate controls are established to ensure the data protection and data integrity while enhancement or updating or installing new information system, maintenance or management to protect the application and processing data through various validation checks in applications.
- Cryptographic Controls: Based on periodic risk assessments Geninvo shall identify information assets, which require to be protected by cryptographic controls. Appropriate cryptographic controls have applied to protect such information assets
- Network Security Management: Controls has established to safeguard the confidentiality and integrity of data passing over public and internal networks, and the users are provided access to the network services that have been specifically authorized.
- E-mail Security Policy: The information exchanged by emails is appropriately protected from unauthorized access, modification or denial of service.
- Internet/Intranet Security: Controls are established to safeguard the confidentiality and integrity of data passing over Internet/Intranet.
- Asset Management: All assets is accounted for and have a nominated owner. Acceptable use of assets is established. Information is classified to indicate the need, priorities and expected degree of protection.
- Information System Acquisition, Development and Maintenance: Security requirements is identified and agreed prior to the development and / or implementation of information systems.
- Information Security Incident Management: Appropriate controls is established to ensure a quick, effective, and orderly management of information security incidents and weaknesses.
- Compliance: Compliance with legislative, regulatory, and contractual security requirements for the design, operation, use, and management of information systems shall be ensured.
These Policies and procedures offer best practices towards Geninvo success for systematically managing security of sensitive data. Though these may vary slightly from one framework to another, considering and aligning with these policies will provide much in the way of information security.