We have just completed an Information Security Audit.
In our line of work we process lots of data, most of it on behalf of our clients. For example, we receive sample files that contain lists of customers or employees to whom we will email survey invites and often the sample files contain other demographic data that is merged with the survey responses to be included in the analysis and reporting.
And of course we collect lots of survey answers, which contain all kinds of information. No matter how interesting or not the data appears, the data are valuable assets.
We have an Information Security Policy that is reviewed and updated (at least) every year, and also carry out an Information Security Risk Assessment. To be honest, I don’t find the audit the most exciting task but it is very important. While our company is small and our team of 6 aren’t stupid it is easy to assume “that goes without saying”.
When did you last consider information security?
Hopefully, not the last time there was a high profile news story involving a laptop, train and lost luggage! In an ideal world you think about security without realising – you use a password to access a system because it contains private information, or the IT Department won’t just email you a file of the last 2,000 customers’ emails without the authorisation from someone who can authorise such requests.
Some security issues aren’t that obvious though. For example, the eighth principle of the UK’s Data Protection Act says that “personal data should not be transferred to countries outside the European Economic Area without adequate protection”. A few other countries are deemed ok, e.g. Canada, but others are not, e.g. USA.
(the Information Commissioner’s Office has published various easy to read guidance, including International Transfers – legal guidance (opens in PDF), although remember that the Data Protection Act refers to the processing of “personal data” – click here for an overview of the Act)
Information Security isn’t all about computers and firewalls – it’s about processes too. For example, when sample files are passed to suppliers are they encrypted/password protected? Or, how do new users get added to the distribution list for tracking reports?
Don’t go overboard, but don’t take the security for granted either.
Dan Wardle
