Perhaps you serve on the board of an organisation. Maybe you are a CFO who has inherited an IT oversight role, or a Chief Executive trying to meet customer and government expectations around privacy and security. Below are five basic questions you should ask your technical staff. If they struggle to answer, your organisation may be taking on more risk than it should be. And you are not alone: many New Zealand businesses, large and small, public sector and private, are wrestling with these questions; some as a result of major privacy or security breaches, and some due to the maturing of their approach to information management.
Fortunately, there are “quick wins” to improve information security without a great deal of effort or expense. Other fixes may require a more in-depth and sustainable approach.
Question # 1: What information do we have?
It’s a very basic question, but one some organisations have not taken the time to answer. As an organisation grows, it accumulates vast quantities of information: on paper, on share drives, in databases, in applications.
Most information is meant to be destroyed after a certain period of usefulness. New Zealand organisations are reasonably good at arranging for the destruction of their paper records, but many are tempted by the prospect of letting the electronic information live on forever. After all, electronic storage capacity is getting less expensive all the time.
Somewhere in this massive sea of information is your sensitive information, which the next question addresses. However, it can be a challenge to locate your sensitive information without a comprehensive understanding of what you have.
Recommendation: Invest in conducting an information inventory to get a high-level understanding of what paper and electronic information you have. Use the results of this activity to inform your information security strategy. Are you collecting or retaining any information you don’t need?
Question # 2: What sensitive information do we have?
There are two types of sensitive information you hold: information your organisation generates, and information entrusted to you by others. When asked what sensitive information they have, New Zealand organisations quickly finger the usual suspects: HR records, financial data and executive information. However, sensitive information can hide out in many other corners of the business. Some information is commercially sensitive. It is information your organisation should hold close to the vest to maintain its competitive advantage and achieve its objectives in the marketplace.
Some information is private. Any information that personally identifies an individual should be treated like gold, and this is where many New Zealand organisations struggle to make the grade. Why would an organisation keep personal details of its own staff under heavy guard in the HR department, while allowing employees to carry around the personal details of customers on an unencrypted USB stick? Or send them over personal email? Or store them using personal cloud based services?
New Zealand’s Privacy Act applies to both public and private sector organisations, as well as individuals. It’s everyone’s responsibility to ensure that the private information they have been entrusted with is safeguarded.
Recommendation: Know what sensitive information you have. Make sure it is classified to the proper level. If you are a custodian for information that is not yours (e.g. customer details, or the commercial information of partner organisations), treat it like gold. Understand your requirements under the Privacy Act and, if applicable the Public Records Act. Government organisations also have to consider their obligations under the New Zealand Information Security Manual (NZISM) and the Security in Government Sector (SIGS) guidance.
Question # 3: Who has access to our information?
Even for small organisations, this is not an easy question to answer. Although IT and recordkeeping teams might be able to advise you who has access to sensitive information, and facilitate periodic reviews of access, authorising and periodically confirming access is a key business function.
Your information is vulnerable to hacking or inappropriate access either from inside or outside your organisation. As such, at a minimum you should require periodic testing of all your sensitive systems to ensure that they are secured. Examples of this are vulnerability testing or penetration testing.
When you entrust your information to third-parties, the risks of inappropriate access are increased, which is addressed with the next question.
Recommendation: Make sure your organisation is using information technology and good recordkeeping practices to restrict access to the information to those with a need to know. See that it’s the business owners who are responsible for authorising access and periodically checking that access is correct.
Question # 4: A third party has access to our information: is it safe?
You will need to ask this question of the third party, and make sure the answer you get is satisfactory. If you don’t understand the answer, get a technical, independent opinion on it.
Whether you store your information in the cloud halfway across the world, or at a third party data centre down the street, you have the same responsibility for it as if it were within the walls of your own building. No matter what the contracts say, or what third parties promise you, you cannot outsource your responsibility for information security.
Third parties have a commercial interest in getting you to trust them. Beware of third parties who try to convince you your information is secure, without being able to answer basic questions such as Question #3. You can have confidentiality clauses in the contract, but that’s not enough. The best validation is independent validation. Has the third party gone through any independent testing for security? Can they show you the results? Can they provide you with a certification or assurance opinion, such as the type issued under a standard like ISAE NZ 3402, to demonstrate that they are managing controls effectively?
If the third party is a cloud provider, there is an even greater risk. Do you know what country your information is being sent to? Who can access it there? What laws apply to it? Is it going to be available when you need it?
If you hire contractors who have access to your information, make sure they follow the same security procedures as your own staff.
Recommendation: If you are entrusting your information to a third party, make sure they prove to you they meet your standards for security. Ask third parties to provide you with assurance from an independent, credible source that your information is secure.
Question # 5: What’s our culture of information security?
Ask whether information security is part of your organisation’s culture. Are there policies and procedures covering the security of both paper and electronic records? Does management have a strategy for how it uses and protects information? Are information risks managed properly?
You can simply walk through your workplace and look around to get a feel for the security culture. Are staff walking away from their computers without locking the screen? Are they sending information over personal email? Are they walking out the door with files or USB sticks containing sensitive information? Are they using unapproved smart phones or cloud services to store or transfer information?
Examine how your employees handle passwords. Do you see any passwords on sticky notes attached to monitors or desks? Is the wireless password posted where customers can see it?
Expect that staff and contractors will treat information casually unless they are told how they are expected to secure it.
Recommendation: Make sure management sets expectations for security through policy and procedures and recurring security training. Don’t be hesitant to enforce these expectations. See that IT is working with the business to provide solutions that work for their business needs, but that still provide for security.
While there are many technical guides on how to best implement information security, the fundamental principles of effective information security management are based on common sense. If you can ask, and get reasonable answers to the five basic questions above, you will have gone far in ensuring that your organisation does not make the headlines for the wrong reasons.
Robert Zaher (CISA, CFE, CIA) is a Manager in KPMG’s Advisory division, based in Wellington. He has 19 years combined experience in regulation, investigations and internal audit. He specialises in helping private and public sector clients secure their information assets.
Contact Robert Zaher on: