Use of ICT Systems
A company’s technology asset comprises systems and components that are used to provide services to the end users of that technology. Typically, this includes a mixture of hardware and software components: back-end servers, storage, cloud platforms, networking infrastructure, system software, applications and end-user devices. All of these components play a part in providing access to the technology solutions deployed by the company and can have their own set of vulnerabilities.
Many of the measures included in an Information Security Management System are concerned with building protection for the various technology components, with automated defences and security systems acting as a ‘barrier’ between the technology and potential attackers. However, in addition to protecting system from external threat, there is a very real need to protect systems used by authorised employees, contractors and partners – an internal threat.
This is not to say that all threats result from deliberate attempts to breach security; many of the breaches and incidents of data loss come from accidental mis-use or careless use of technology. To combat this ‘internal threat’, a company must recognise different ways systems can become vulnerable to exposure or breach if they are used without appropriate care.
So, an ISMS must include details on the use of company ICT Systems to reduce the risk of system security breaches, regardless of the cause or source.
When developing this section of the ISMS, it should include guidelines and policies on the use of:
- Email systems
- Internet browsing
- Social media
- ICT facilities
- Antivirus measures
- Information/data storage
- Connection of technology
- Wireless networking
- Remote access techniques and protocols
- Cyber security incidents
The intent behind these policies is to increase awareness of threats present when using company technology. Generally, this involves accessing company technology from end-user devices and associated systems. The policies should not simply be a list of “do’s and don’ts”, but try to make users of information and information systems aware of the correct ways to use those systems, with particular reference to security.
In most cases, guidelines on system usage can be supported by creating material to educate computer users on the correct procedures for using their devices and systems. However, this cannot be a simple ‘how to’ manual – the material must highlight the appropriate methodologies for using systems in a safe and secure manner. When used in conjunction with the access control measures that are in place (see earlier article on Access Control) this will help reduce the risk of security breach resulting in unauthorised access to information and systems.
Material shared with users must be updated with ongoing developments in security protocols, changes in operating methodologies and details of evolving threats that may present risk to systems. Therefore, the education process must be continual, with updates to policies, guidelines and education material as required.
An important consideration when implementing the measures developed within this topic is where those technology systems and devices are when being used: while located at company premises, when travelling away from company premises and when working from home. This means that there will need to be a baseline set of guidelines for accessing company technology at the usual place of work and additional or different guidelines for the same systems and devices when the end user is operating away from the regular workplace. It would be dangerous to assume that laptops and other mobile devices are used in exactly the same way in every location. Guidelines must be mindful that there may be different techniques and procedures to establish connection with company technology based on location and situation, so there needs to be clarity on what measures should be taken to ensure security in each case.
Policies and guidelines on the use of ICT system may also include acceptable usage policies for systems such as social media and internet browsing. Users of this technology should be conscious that they are representing the company when using these platforms, so when formulating this section of the ISMS you may need to consider policies on appropriate behaviour, or use of appropriate language, or expressing personal opinions, or what company information can be shared on online forums.
There is also a need to include details of how to deal with cyber-security incidents. Many potential cyber security incidents are detected by employees rather than automated security measures and tools. So, users of the company technology become the ‘first responders’ and should know how to report suspected security incidents. They also need to be aware of how they may be involved in the management of such incidents. Details provided here should complement the company’s education programme on the topic of security and how to avoid falling victim to a cyber-attack.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.