InformatIon Security

Transcription

1 Information Security

2 Behind the obvious advantages to sharing knowledge, researching or developing lies the risk of theft, espionage or sabotage of information. Consequently, there is good reason to prepare against these threats by working actively with information security. Today, Denmark is an information society. We live to a greater extent by developing, circulating and distributing knowledge. The Danish authorities handle many types of sensitive information, and businesses as well as authorities conduct research and development. tion. These are threats that may have profound implications for any organisation in terms of lost knowledge and loss of customers or reputation. Protection of sensitive information In recent years, the Danish Security and Intelligence Service (PET) has seen examples of how foreign businesses or states unlawfully try to obtain access to information. Behind the obvious advantages to sharing knowledge, researching or developing lies the risk of theft, espionage and sabotage of informa- Increasingly their focus is directed towards strategic negotiation and business proposals, research and other sensitive information. Consequently, there is good reason to prepare against these threats by working actively with information security. This applies to businesses as well as public authorities.

3

4 Information must be protected whether in the form of data in IT systems, physical documents or oral information and it must be protected throughout its lifespan. Security policy and regulations Information security is about identifying the sensitive information of the organisation and subsequently protecting it. Key terms such as confidentiality, integrity and accessibility should be in focus. This means that the organisation controls who receives a piece of information, what this information contains and that information is accessible to those who need it when they need it. The risk of theft and espionage increases when information leaves the secure confines of the organisation. It is therefore essential to have security regulations which describe what kind of information the employees are allowed to store and handle outside the network of the organisation, and in which media they are allowed to do so, e.g. on a laptop computer or a USB memory stick. A security policy is an overall framework which describes the security organisation of the business or authority and how a breach of security can be handled etc. The security policy is prepared by the management in cooperation with the employees responsible for the security of the organisation and by involving the employees who work with sensitive information. The security regulations describe in specific terms how the employees are to handle sensitive information within and outside the organisation.

5 Creating a healthy security culture The organisation can: describe what information is sensitive ensure that the security organisation is visible in day-to-day activities ensure that the security regulations are understandable and can be complied with in practice use internal media to inform of, ask about or discuss security motivate employees to report any concerns or breaches of security in order to create learning and trust

6 Physical security, secure IT systems and security conscious employees are three fundamental aspects of a strong security culture. Information security in practice Any organisation that wishes to work actively with information security must begin by defining which information is sensitive and how to best protect and handle this information. Subsequently, the organisation must prepare a security policy and security regulations which address the three fundamental aspects of a strong security culture: physical security IT systems employees and behaviour Protection of sensitive information may be based on the existing Danish framework and code of practice for protection of information. Framework and code of practice for protecting information Security circular no. 204 of 7 December 2001 issued by the Danish Prime Minister s Office describes how to protect officially classified information and other information which is particularly important to protect. The security circular is available in Danish from In addition, the standards ISO and DS 484 can be used for defining the framework for protection of information. For further information visit

7 Classification of information Physical security A secure physical environment is imperative in order to protect documents and IT systems. A suitable physical protection will prevent any unauthorised persons from physically accessing sensitive information. It is also important for the business or authority to consider who should have physical access to its premises. Bear in mind that external personnel such as craftsmen, cleaning staff and security staff also have access. The organisation may also set up zones or limited areas where sensitive information is handled. Such a division of rooms and areas is particularly suited for, among other things, research and development purposes. Clear security requirements for storerooms and cabinets also help to reduce the risk of espionage, theft and unauthorised access. Based on NATO and EU regulations, the Danish security circular lays down a classification system with the levels: RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET. Only a few organisations will need a classification system this elaborate. PET recommends that authorities at least mark internal information which is particularly relevant to protect RESTRICTED. Businesses are recommended to use a marking which clearly indicates the difference between sensitive and nonsensitive information.

8

9 A security policy can only work if it is accepted and respected by the employees. The employees therefore play an important part in effective information security. Confidentiality with cooperative partners It is also essential to secure information which is shared by authorities or cooperating businesses. One way to do this is to make an agreement of confidentiality describing how each of the parties must handle sensitive information. For example, the parties may be mutually committed to a specific type of protection or to not sharing information with a third party. Security in IT systems Most organisations typically have firewalls, antivirus software etc. However, even the best security systems may be hacked. Consequently, it is a good idea to decide in which networks the organisation will handle its information. Sensitive information such as a political-strategic proposal or a research and development project in a business should not be handled in open, Internet-based systems as there is a risk that unauthorised persons may gain access to these. Many organisations have made it possible for the employees to work at home also on the employees own computers. The disadvantage to this flexibility is that information is exposed to an unnecessary risk when home computers are for instance resold or used by others. Take into consideration that the risk of an electronic attack or virus is greater with home offices.

10 In control of information security? Have you identified the sensitive information of the organisation so that you know what is worth protecting? Have you appointed a person to be responsible for the security of the organisation? Do you have a security policy which lays down the overall framework for protecting and handling sensitive information? If you share information with cooperative partners, do these know how to protect your sensitive information? Do you have the physical environment required to help protect sensitive information? Do you have the IT environment required to help protect sensitive information? Do you have security regulations explaining to the employees how to handle sensitive information in practice within as well as outside the organisation? Are you working actively to create and maintain a security culture in order to make security a natural part of everyday activities? Employees and behaviour A security policy is only effective if it is accepted and respected by the employees. Access control, secure IT systems and physically secured premises will only increase security if the organisation has not given access to the wrong people. In other words, the employees form an integral part of information security. Therefore, it is also important to take security into consideration when hiring new employees. PET recommends organisations to thoroughly check the background of a candidate before employing him or her. This is especially important if the new employee will have access to sensitive information or hold a key position in the organisation. This background check may be a standard procedure used in connection with hiring new employees and in case of changes in the fields of work and responsibility. PET provides a number of recommendations in the publication: Tænk sikkerhed, når du ansætter (consider security when hiring), which is available in Danish at Clear regulations Clearly phrased security regulations which can be followed in practice and which make sense to the employees will help ensure concordance between the information security policy of the organisation and the actual behaviour of the employees. In the end, the behaviour of the employees is decisive in ensuring a healthy security culture in the organisation.

11

12 Politiets Efterretningstjeneste Klausdalsbrovej Søborg Tlf pet@pet.dk