Our approach to Information Security

The benefits of Information Security

Every business in the 21^st Century is dependant on the information they hold, from details of the customers to management accounts for their shareholders, the information is critical and is probably held as data on a computer system.

Driven by legislation, corporate governance or some form of compliance, Information Security (IS) can seem a burden to some organisations. A strong security strategy shouldn't restrict people accessing the data they need but quite often the complaint of "I don't have the information to do my job anymore" is heard after an implementation.

Our Information Security Consultants work with an organisation to deliver a holistic and whole organisation approach to the Information Security Strategy. The people are just as important as the data, the systems and the procedures. In fact the ISC² approach used by TMC uses the acronym CIA (Confidentiality, Integrity and Accessibility) which can be summarised as the correct data to the correct people at the correct time.

When looking at protecting their data it is common for an organisation to put most of  their effort into external protection and all but ignore the internal threats. An increasing number of data thefts are either instigated by employees or caused by their lack of understanding of data security.

A good Information Security implementation can identify risks to how an organisation is operating, prevent non-compliance with legal requirements and reduce the chances of data theft. It can be the difference between standing in front of a TV crew and saying "We have a full security strategy in place and are confident no data can be retrieved from the laptop" compared to "We advise our clients to be on careful lookout for people using this data for malicious aims."

Information Security Services

Technology Management and Consultancy can offer the following services in relation to Information Security but we can also design bespoke delivery packages if your requirements are not listed below. Please see our contact page to get in touch.

Risk Review

A template package used to advise an organisation about risks affecting their Information storage and processing. The package includes onsite research by a Consultant guided by over one hundred questions relating to risks involved in using IT Systems to manage data. Topics covered include Data Protection Act, employee access security, backup strategy, security policy, password policy and physical network. The Information Security Consultant will then produce a report advising the organisation of the risks for each topic and suggested ways to manage those risks. This is a good introductory package for organisations who are not aware of the risks involved in securing information and wish to look at resourcing the solutions internally.

Information Security Strategy

This is a high level document delivered by an Information Security Consultant and designed to guide the organisations Senior Management in resourcing and budgeting for a suitable Information Security Strategy. It identifies and documents responsibilities, goals, aims and compliance requirements for the company. If appropriate it will also reference benchmark standards such as ISO27001.

The Strategy can be delivered either following a full Risk Review or to an organisation already aware of the risks. Our consultants work with you to turn a vision for Information Security into a strategy the implementation team can follow.

Information Security Policies

The policies are the documents that start to explain to individuals their responsibilities in relation to Information Security. They cover areas such as passwords, Acceptable Use Policy (AUP) and remote workers. These policies are developed by an Information Security Consultant in liaison with an organisations IT and HR teams to ensure they comply with company standards and can be communicated to the employees effectively.

Once the policies are in place our consultant can work with the appropriate internal resources to monitor staff compliance with the policies by putting in place tools and IT procedures.

Information Security Management System

A Management System to an International Standard, such as ISO27001, allows your organisation to market themselves by using the appropriate symbol. The Information Security Management System wraps around the policies and procedures in place in an organisation and introduces change and other controls to make the process of auditing the system easier. If you have a Management System already in place (such as ISO9001 or BS25999) then it may be possible to adapt this system to include your Information Security policies, but if not a new Management System can be created and applied.

Strategy Review

Do you have and existing Information Security Strategy that might be out of date or that was inherited from a previous team? Do you have an internally generated strategy that would benefit from an external viewpoint? One of our Information Security Consultants can revisit the strategy using fresh, external eyes and advise on the strengths and weaknesses of the current strategy. This review can also be very useful during a merger or acquisition to review the strategy and how a combined strategy could be developed.

Don't leave your strategy gathering dust on the shelf, get TMC to review and refresh it for you.

Process Review

Are your Information Security processes in place but perhaps out of date because of operational changes, staff changes or a lack of auditing? A TMC Information Security Consultant can work with your existing Information Security or IT team to review each of the processes, check adequate auditing is in place and up date the processes to ensure fit for purpose. Out of date processes can introduce vulnerabilities to your systems and give a false impression of a secure IT infrastructure.

Technology Solutions

An Information Security Strategy defines where an organisation wants to be with their data security, the policies guide the Information Security team on how to implement the strategy and the processes provide detailed instructions for the teams to follow. Once the first two are in place and while building the processes/procedures the technology required to implement, audit and monitor the policies needs to be put in place. This is both an Information Security and IT role, the technology has to do the job but also fit the existing infrastructure and be easy to manage with the current skill set.

The skills of the consultant provided by TMC for this role cover both Information Security and technical infrastructure management. The consultant will be experienced in procuring and implementing technical solutions as well as procedure documentation. If required a TMC consultant can also design and deliver training packages for internal staff covering the new technology.

Data Protection Act consultancy

There is more to the Data Protection Act (DPA) in the UK than the simple process of registering. After the initial decision on whether to register or not (the wizard on the Information Commissioners website can be used for this) a decision needs to be made about whose details to enter on the registration form. Once registration is complete then certain responsibilities are accepted by the organisation under the Act. These include responding to requests for information from members of the public and managing the personal data correctly.

A TMC Information Security Consultant can advise on all stages of the process, from the requirement to register all the way to handling requests for information. The consultant can also put in place procedures to help in compliance with the Data Protection Act, which will include technical and data management procedures.

For organisations who rely on their employees to help with compliance with the Data Protection Act we deliver the Secure Information Worker course through BrownStones.

Penetration Testing

Penetration Testing, also known as Ethical Hacking, is the process of attempting to break into a network and steal information or privileges with the network owners permission. This can also be performed against websites but the permission of the hosting provider should be sought. If you have all the procedures and processes in place for Information Security then the next step is a penetration test. Not only does this test the strength of your protection but also the audit procedures and response times of your Information security team. A breach may be possible but the ability to spot the breach and respond to it before any damage is inflicted is very important.

Because of the nature of this type of work a TMC consultant will visit the organisation to discuss in detail the work that will be carried out. Once this is understood a written and signed (by both parties) document is created to define scope, responsibilities and liability. A full report of the test is provided, along with a priority report if any critical breaches are found.

Forensic Analysis

Whilst Technology Management and Consultancy Ltd always recommended that any data theft is reported to the relevant authorities we also understand that this may not be in the best interests of the organisation. If data has been changed, gone missing or been stolen then a TMC Information Security Consultant can help investigate the problem and cause. It's very important before engaging TMC for Forensic Analysis that we review your policies and procedures to ensure we are able to perform our duties without risks of breaching any regulations.

The consultant will provide a report on the incident which will also include any recommendations for further action. Further action may include recommendation to report the incident to the place but will also include advise on how to protect the organisations data from further security problems.

Social Network Forensics

Do you monitor the online profile of your company and staff? Could you face a possible court case or future embarrassment from a member of staff posting photos or comments in their FaceBook or MySpace profile?

As well as advising on how to work with staff members to prevent unsuitable online information from appearing, a TMC Information Security Consultant can complete a regular review of the online profiles of everyone involved in the business. A full report is provided after the review and a trend analysis is also provided in the report to identify areas of future concern.

If you're concerned that your customers know more about your company, your staff or your Christmas party than you do then contact a TMC Information Security Consultant.