Businesses must take active steps to ensure information security, including:
Identifying, assessing and managing risks
To determine the relevant level of security needed for a business, you need to review the information being held and assess the risks to that information. Particular care must be given to any personal data. To do this, you should consider:
-
all processes involved in the collection, storage, use, sharing and disposal of the information
-
how sensitive or confidential the information is
-
the damage or distress that would be caused by a security breach (this is especially important with regards to personal and sensitive personal data)
-
the reputational damage your business would suffer in the event of a data breach
Once you have identified and assessed your security risks, you can decide on what security measures to adopt. For more information, read Data protection principles.
To comply with data protection laws, you may also need to conduct a Data protection impact assessment (DPIA) if your personal data processing is likely to result in a high risk. For more information, read Data protection impact assessments.
Adopting relevant policies and documents
To address and consistently manage security risks, you should consider adopting an Information security policy. This policy sets out a business’ rules and procedures on information security, including how any security measures are implemented and how compliance is monitored.
Additional policies and documents you should consider adopting include:
Physical security
You need to ensure the physical security of the business and any information it holds. This includes:
-
controlling and restricting the access to your business premises and relevant equipment to prevent unauthorised access, damage and interference with information (eg by installing CCTV)
-
securely storing records and equipment to prevent loss, damage, theft or compromise of information (eg locking computers when not using them)
-
securely disposing of records and equipment when they are no longer needed (eg by shredding)
For more information, read Data protection principles.
Computer and network security
You need to ensure that your hardware and software assets are kept secure, by:
-
managing hardware and software assets - identify and document any IT equipment (eg computers, servers, mobile phones) that is on your business premises or kept at home by staff, and systems and applications used to process or store information. You should use an inventory or register for this. You also need to assign ownership of each asset, implement rules on how to use hardware or software to process or store information and regularly review your hardware/software inventories to ensure their accuracy
-
adopting clear home or mobile working procedures - mobile devices (eg laptops, tablets and smartphones) are vulnerable to theft and loss. As a result, there is a confidentiality risk when they are being used in public places (eg in a cafe or on a train) or at home (eg when laptop screens are visible and accessible to a staff member’s family). Ensure that any information (especially personal data) processed outside of your business premises is kept secure by adopting a clear mobile working policy and/or Working from home policy setting out when and how staff may work away from the business premises
-
configuring hardware to reduce vulnerabilities - remove any unnecessary accounts (eg guest or administrative accounts), change default passwords and uninstall any pre-installed software that is unnecessary for your business
-
managing removable media - removable media (eg flash drives, CDs and smartphones) are very vulnerable to theft or loss. If you need to store information on removable media, consider implementing software solutions to set permissions/restrictions for individual devices and classes of devices. You should also minimise and encrypt the information stored on any removable media
-
implementing user access controls - user accounts should only be given to authorised individuals and user permissions should be restricted to the minimum (ie ‘least privilege’). To ensure accountability, each user should have their own user access credentials (eg username and password)
-
implementing system password security - encourage staff to use strong passwords and not to write them down. Consider implementing a dual-factor authentication system. You should also monitor user activity to detect any abnormal use and disable staff access credentials as soon as they leave the business
-
establishing anti-malware defences - install (and regularly update) malware protection software to prevent computers from being infected by malware (eg viruses or spyware) and educate staff about common malware threats
-
regularly backing up information - regular backups can help restore information in the event of a hardware failure or disaster. You should base the extent and frequency of your backups on the sensitivity and confidentiality of the information and how critical it is for your business operations
-
monitoring user and system activity - this can help you identify and prevent any external threats, inappropriate use of information by staff or data breaches. In- and outbound network traffic should be continuously monitored to detect any unusual activity (eg large transfers of personal data) or potential indications of an attack. Any monitoring you undertake must comply with the relevant laws (eg you must make staff aware of any workplace monitoring)
-
installing a firewall - a firewall acts as a protective boundary between your computer network and the internet. Instal a firewall to monitor and restrict network traffic to prevent others from gaining unauthorised access to your information
Management of personal data breaches
Under the GDPR, you must report certain types of personal data breaches to the Information Commissioner’s Office (ICO) and, in some cases, to the affected individual(s). A data breach is a security breach that causes the accidental or unlawful destruction, alteration, loss, or unauthorised disclosure of, or access to, personal data.
You need to have clear breach reporting procedures in place to ensure staff understand:
-
what a personal data breach is
-
when and about what the ICO needs to be informed
-
when and about what affected individuals need to be informed
-
how to document a data breach
You should also:
-
have a process in place to investigate and implement recovery plans after a breach
-
monitor the type, volume and cost of any data breaches to identify trends and prevent them from happening again
For more information, read Data breach reporting.
Training
All staff members should be trained (eg online or through workshops) on information security, including:
-
their security responsibilities and the appropriate use of the business’ systems and IT equipment
-
how to recognise threats (eg malware or phishing)
-
how to identify breaches of personal data
Special training should be provided to any staff members with specific security responsibilities or with access to privileged information.
Training should be provided to staff members when they first join the business and at regular intervals afterwards. You should also make all relevant policies easily available (eg in a policy handbook or on the business’ intranet).