Information Security

CE IASME
You can’t have IT without Security! There, we said it, but what does that mean and perhaps more importantly, what does it mean for our customers?

Well for us it means that it’s not a separate subject and we don’t do it, advise on it, or even talk about it in isolation. This is because our industry often sees security as a bolt-on, something to be added to, or overlaid onto your IT systems. This approach leads to security being talked about in terms of products and services – Network Security, Firewalls, Anti-virus etc. That’s why we see Managed Services Providers (MSPs) turning into Managed Services and Security Providers (MSSPs). And IT companies adding products to their portfolio so they can say they now do security!

Our approach to security starts with the belief that it runs throughout the entire organisation; it should be part of your DNA. It’s often said that IT is about enabling people. If you’re approach to security is to add it to your IT systems as an afterthought, then it can often be disabling. If you bake it into your organisation, we believe it can empower people.

Is Security really an IT Issue?

Macnamara includes Cyber Essentials as part of our standard Managed Service offering. Cyber Essentials is the nationally recognised Government scheme that helps businesses protect themselves from fraud and Cyber Attacks. It’s a great place to start but it’s really a point in time snapshot and doesn’t mean that you’re now secure.

Car Service Manager or Mechanic Uses a Tablet Computer with a Futuristic Interactive Diagnostics Software. Specialist Inspecting the Vehicle in Order to Find Broken Components In the Engine Bay.

A good analogy would be getting an MOT for your car. This means that your car is in full working order on the day you pass the MOT, but what happens if your exhaust falls off the next day? Is your car still compliant? There’s no continuity. By having CE as part of our Managed Service, we provide the continuity. Then there’s CE Plus. This takes things a step further by requiring separate technical validation. Again, we can provide this, but we won’t put you forward for it unless we’re sure that you understand what it means and are willing to adhere to the guidelines. This is generally why we only accredit and certify companies in Cyber Essentials that are already working with us. We don’t offer it as a separate stand-alone service.

CE is a good starting point, but it only addresses the technical aspects of security: Are your machines properly patched? Is your Firewall configured correctly? Do you run Anti-Virus? All of these are important, but Security isn’t just the domain of IT. At Macnamara we believe that you’re not secure unless the idea of Security is embraced by the whole business!

Business & Information Security

To bake Security into your business and move toward true Business and Information Security, you need to implement: Policies, Training and Awareness, and Compliance. To take this approach is to recognise not only the importance of Information Security, but the fact that it’s not a product or solution that’s implemented once, it’s a process that is and should be on-going. Furthermore, it’s an ethos that runs throughout the organisation.

We’d be lying to you if we said this was simple. It can be a very detailed undertaking, but we want to give you a sense of what’s involved.

Our Approach

IASME Governance

Our approach mirrors the IASME Governance Model. The standard includes all five Cyber Essentials technical controls and adds additional topics that mostly relate to people and processes, for example:

  • Risk assessment and management
  • Monitoring
  • Change management
  • Training and managing people
  • Backup
  • Incident response and business continuity

Naturally, we start by carrying out a full assessment of your business. This helps us both to understand where we are, but perhaps more importantly, where you’d like to be. Not all businesses are the same and therefore not all businesses are required to be fully compliant to the highest level or standards. We need to understand what’s appropriate so that you’re not striving for ISO27001, when Cyber Essentials Plus is what’s needed.

The results of this assessment are then discussed, and a plan can then be agreed. This might look something like…

Creation of a single overarching Information Security policy, which should be drawn up and signed by the CEO. This will include a short clear statement about your commitment to information security and specify roles and responsibilities.

This policy would probably then be broken down into various areas, each with their own clear statements, for example:

  • Data retention
  • Business continuity
  • Data protection
  • Email and internet access
  • Home working
  • BYOD & mobile device management
  • Asset management
  • Password, encryption, and admin rights
  • Security incident response
  • Backup and archiving

These policies on their own will not achieve a significant improvement in your information security posture, but by accompanying each one with a clear set of procedural instructions on how to give effect to its objectives, a major improvement in security will be achieved.

For example, if the Password, Encryption and Admin Rights policy specifies that all emails containing personal information must be encrypted, the accompanying procedure should point to the data protection policy for a definition of personal information and give clear precise instructions on how to encrypt an email.

Compliance and Baselines

5 Technical Controls

This approach allows us to create a security baseline and a compliant framework under which your organisation operates. We can then extend this security baseline to include technical baselines for your IT assets. A good example of this might be that all devices used to access your data must be encrypted. This is to protect against access to your information if such equipment is lost or stolen. E.g.

  • Windows 10 Pro – Enable BitLocker
  • Windows 10 Home – Should not be used
  • Mac OS – Enable File Vault
  • Android and iOS Devices – Enable native encryption

Implementing security enabled technical baselines creates compliant systems and software, which in turn allows your staff to be productive. They can carry out their day-to-day tasks safe in the knowledge that they can securely access the right information, from the right sources, using the right devices, from any location.

This is what we mean by Information Security!

We realize that our approach isn’t for everyone. But if what we’re describing makes sense then it’s probably worth us exploring it further.

Start by engaging us to carry out a GDPR and Security Assessment. Once this is completed you can either choose to carry on our engagement and have us implement, manage, and support the recommendations ongoing. Or alternatively, use it as a standalone independent audit.

Like this article?

Share on Twitter
Share on LinkedIn
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

Making Sense Of Information Security

Making Sense of Information Security – Online Course

In this series of 5 short tutorials, ‘Making Sense Of Information Security’, Ciaran delivers a step by step guide on getting to grips with this at times tricky concept. Aimed at office managers, we cover areas such as how to get senior management buy-in, how to undertake a risk assessment, how to approach treatment of those risks, your responsibilities to data subjects under the GDPR, and more.

Read More »
copilot-logo

Enhance Productivity with Microsoft 365 Copilot

AI tools are transforming how people approach their work, but online ‘free’ tools such as ChatGPT are not secure for businesses to use, and you should never enter any confidential or personal information into free online AI Services. This information can be used to train the AI and make it available to other users, and may constitute a data breach.

Read More »
3D rendering. Abstract background concept of cyber security and attack, system crash.

The 7 Most Common Attack Vectors in 2024

With the rapid onset of new technological capabilities, cyberattacks are a very real threat to any modern business. After all, as more businesses implement new technologies into their business, cyber attackers gain more new targets to try their hand at.

Read More »
Scroll to Top