Information Security

You can’t have IT without Security! There, we said it, but what does that mean and perhaps more importantly, what does it mean for our customers?

Well for us it means that it’s not a separate subject and we don’t do it, advise on it, or even talk about it in isolation. This is because our industry often sees security as a bolt-on, something to be added to, or overlaid onto your IT systems. This approach leads to security being talked about in terms of products and services – Network Security, Firewalls, Anti-virus etc. That’s why we see Managed Services Providers (MSPs) turning into Managed Services and Security Providers (MSSPs). And IT companies adding products to their portfolio so they can say they now do security!

Our approach to security starts with the belief that it runs throughout the entire organisation; it should be part of your DNA. It’s often said that IT is about enabling people. If you’re approach to security is to add it to your IT systems as an afterthought, then it can often be disabling. If you bake it into your organisation, we believe it can empower people.

Is Security really an IT Issue?

Macnamara includes Cyber Essentials as part of our standard Managed Service offering. Cyber Essentials is the nationally recognised Government scheme that helps businesses protect themselves from fraud and Cyber Attacks. It’s a great place to start but it’s really a point in time snapshot and doesn’t mean that you’re now secure.

A good analogy would be getting an MOT for your car. This means that your car is in full working order on the day you pass the MOT, but what happens if your exhaust falls off the next day? Is your car still compliant? There’s no continuity. By having CE as part of our Managed Service, we provide the continuity. Then there’s CE Plus. This takes things a step further by requiring separate technical validation. Again, we can provide this, but we won’t put you forward for it unless we’re sure that you understand what it means and are willing to adhere to the guidelines. This is generally why we only accredit and certify companies in Cyber Essentials that are already working with us. We don’t offer it as a separate stand-alone service.

CE is a good starting point, but it only addresses the technical aspects of security: Are your machines properly patched? Is your Firewall configured correctly? Do you run Anti-Virus? All of these are important, but Security isn’t just the domain of IT. At Macnamara we believe that you’re not secure unless the idea of Security is embraced by the whole business!

Business & Information Security

To bake Security into your business and move toward true Business and Information Security, you need to implement: Policies, Training and Awareness, and Compliance. To take this approach is to recognise not only the importance of Information Security, but the fact that it’s not a product or solution that’s implemented once, it’s a process that is and should be on-going. Furthermore, it’s an ethos that runs throughout the organisation.

We’d be lying to you if we said this was simple. It can be a very detailed undertaking, but we want to give you a sense of what’s involved.

Our Approach

Our approach mirrors the IASME Governance Model. The standard includes all five Cyber Essentials technical controls and adds additional topics that mostly relate to people and processes, for example:

  • Risk assessment and management
  • Monitoring
  • Change management
  • Training and managing people
  • Backup
  • Incident response and business continuity

Naturally, we start by carrying out a full assessment of your business. This helps us both to understand where we are, but perhaps more importantly, where you’d like to be. Not all businesses are the same and therefore not all businesses are required to be fully compliant to the highest level or standards. We need to understand what’s appropriate so that you’re not striving for ISO27001, when Cyber Essentials Plus is what’s needed.

The results of this assessment are then discussed, and a plan can then be agreed. This might look something like…

Creation of a single overarching Information Security policy, which should be drawn up and signed by the CEO. This will include a short clear statement about your commitment to information security and specify roles and responsibilities.

This policy would probably then be broken down into various areas, each with their own clear statements, for example:

  • Data retention
  • Business continuity
  • Data protection
  • Email and internet access
  • Home working
  • BYOD & mobile device management
  • Asset management
  • Password, encryption, and admin rights
  • Security incident response
  • Backup and archiving

These policies on their own will not achieve a significant improvement in your information security posture, but by accompanying each one with a clear set of procedural instructions on how to give effect to its objectives, a major improvement in security will be achieved.

For example, if the Password, Encryption and Admin Rights policy specifies that all emails containing personal information must be encrypted, the accompanying procedure should point to the data protection policy for a definition of personal information and give clear precise instructions on how to encrypt an email.

Compliance and Baselines

This approach allows us to create a security baseline and a compliant framework under which your organisation operates. We can then extend this security baseline to include technical baselines for your IT assets. A good example of this might be that all devices used to access your data must be encrypted. This is to protect against access to your information if such equipment is lost or stolen. E.g.

  • Windows 10 Pro – Enable BitLocker
  • Windows 10 Home – Should not be used
  • Mac OS – Enable File Vault
  • Android and iOS Devices – Enable native encryption

Implementing security enabled technical baselines creates compliant systems and software, which in turn allows your staff to be productive. They can carry out their day-to-day tasks safe in the knowledge that they can securely access the right information, from the right sources, using the right devices, from any location.

This is what we mean by Information Security!

We realize that our approach isn’t for everyone. But if what we’re describing makes sense then it’s probably worth us exploring it further.

Start by engaging us to carry out a GDPR and Security Assessment. Once this is completed you can either choose to carry on our engagement and have us implement, manage, and support the recommendations ongoing. Or alternatively, use it as a standalone independent audit.

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

Outlook

How to add a Shared Mailbox to Outlook Mobile

If you have access to shared mailboxes and you need to view these in Outlook on your mobile, you don’t need to know the username and password for those accounts. You can add them using your existing delegated access rights.

Read More »

You have a new Fax!

When was the last time you received a fax? Possibly never. But, it might surprise some of you to know that millions of faxes get sent every day. In Germany, Japan and the US especially, they are alive and well, if not so much here in the UK. But how are they used in Phishing?

Read More »

To Save or to Auto Save?

Save as you go. If ever there was a golden rule of working with computers, this is it. Anyone who has ever worked on a document before losing their progress to an application crash or power cut knows only too well the dangers of not saving your work. So the introduction of Auto Save in Office seems to be, on the face of it, an absolute gem. But how does it work and what if you need to turn it off?

Read More »
Scroll to Top