Security – ISMS – Use of ICT Systems

Use of ICT Systems

Requirements

A company’s technology asset comprises systems and components used to provide services to the end users of that technology. Typically, this includes a mixture of hardware and software components. For example: back-end servers, storage, cloud platforms, networking infrastructure, system software, applications and end-user devices. All of these components play a part in providing access to the technology solutions deployed by the company. As such, they can have their own set of vulnerabilities.

Many of the measures included in an Information Security Management System are concerned with building protection for the various technology components. Often this involves automated defences and security systems acting as a ‘barrier’ between the technology and potential attackers. These measures focus on protecting systems from external threat. There is also a very real need to protect systems used by authorised employees, contractors and partners – an internal threat.

This is not to say that all threats result from deliberate attempts to breach security. Many of the breaches and incidents of data loss come from accidental misuse or careless use of technology. To combat this ‘internal threat’, a company must recognise different ways systems can become vulnerable to exposure or breach if they are used without appropriate care.

So, an ISMS must include guidelines on the use of company ICT Systems to reduce the risk of security breaches. Whether the cause or source is external or internal.

When developing this section of the ISMS, it should include guidelines and policies on the use of:

• Email systems
• Internet browsing
• Social media
• ICT facilities
• Antivirus measures
• Information/data storage
• Connection of technology
• Wireless networking
• Remote access techniques and protocols
• Cyber security incidents

olicy Explanation

The intent behind these policies is to increase awareness of threats present when using company technology. Generally, this involves accessing company technology from end-user devices and associated systems. However, the policies should not simply be a list of “do’s and don’ts”. They must try to raise awareness of the correct ways to use those systems, with particular reference to security.

Guidelines can be supported by material to educate computer users on the correct usage of devices and systems. This cannot be a simple ‘how to’ manual. The material must highlight the appropriate methodologies for using systems in a safe and secure manner. When used in conjunction with access control measures this will help reduce the risk of unauthorised access.

Material shared with users must be updated with ongoing developments in security protocols. This is also the case when operating methodologies change. Evolving threats that may present risk to systems must also be considered. Therefore, the education process must be continual, with updates to policies, guidelines and education material as required.

An important consideration when implementing the measures developed within this topic is where those technology systems and devices are used. This includes using systems while located at company premises. Or when travelling away from company premises. And when working from home. This means that there will need to be a baseline set of guidelines for accessing company technology at the usual place of work. Additional guidelines are needed for the same systems when the end user is operating away from the regular workplace. It would be dangerous to assume that laptops and other mobile devices are used in exactly the same way in every location. Guidelines must be mindful that there may be different techniques and procedures to establish connection with company technology based on location and situation. Material must clearly explain what measures should be taken to ensure security in each case.

Guidelines on the use of systems may also include acceptable usage policies for systems via the internet. Users of this technology should be conscious that they are representing the company when using these platforms. So, when formulating this section of the ISMS you may need to consider policies on appropriate behaviour. This may involve the need to explain what language is appropriate. Or when it is appropriate to express personal opinions. There will also be a need for guidelines on what company information can be shared on online forums.

Included in the ISMS should be details of how to deal with cyber-security incidents. Many potential security incidents are detected by employees rather than automated security measures and tools. So, users of the company technology become the ‘first responders’ and should know how to report suspected security incidents. They also need to be aware of how they may be involved in the management of such incidents. Details provided here should complement the company’s security education programme and outline how to avoid falling victim to cyber-attack.