Recent news of the outrageous hacking and breach of sensitive patient data has caused organizations and people to worry and resent the growing activity of cybercriminals around the world. Although the news about the case is a devastating tragedy for people involved, there are also opportunities to improve the situation alongside the concern and indignation. In this blog, we listed the most important things every organization should ask themselves in the light of recent events.
Have we defined what kind of information we process in our organization? What information should we protect?
- What information is critical to our organization or customers?
- What information is personal identifiable information as defined by the Data Protection Act. What is confidential information and what is public information?
- How and where is the data to be protected currently stored?
- What information of our organization could be particularly interesting to cybercriminals?
Have we identified the security risks and threats to the technical environments facing our organization?
- What are the key information security risks in our organization related to our staff, facilities, IT services and projects?
- What kind of security attacks could potentially targeted to our organization?
- Has our organization established information security management -related policies to reduce risks?
- What is the level of security of the end-user services we provide over the Internet?
- Are old decommissioned information system services and databases still visible on the Internet?
- Do our organizations internal development or training environments have visibility on the Internet and are the environments adequately protected?
Have we allocated sufficient resources for security development and management?
- Do we have enough expertise in the organization to implement measures related to the development of information security?
- Are sufficient financial and human resources allocated to the development of information security?
Have we made sure that every employee in our organization is aware of the basics of information security?
- Has there been employee-specific security training for all employee groups in our organization (e.g.q management, office workers, developers)?
- Has our organization’s staff been indoctrinated by their role in information security management?
Have we ensured that our partners follow the best security practices?
- How are security responsibilities defined with our partners?
- Have security requirements defined for partners and are these clearly stated in our agreements?
Have we developed a plan for security non-conformance incidents?
- Have we defined what to do if there is a security non-conformance in the organization?
- Have we practiced adequate preparedness for security breaches?
As the list above shows, the development of information security must be a holistic and continuous activity. Although security issues are often seen as technical issues, security management requires organization-wide policies and practices.
Text: Tarmo Kellomäki, Business Area Manager, Digital Security, email@example.com