BYOD stands for Bring Your Own Device, a model in which employees use their own laptops or smartphones for work. In information security, you must implement measures to manage organizational data on that personal device in a strictly separated and properly secured manner.

Information Security

Q: What is information security?

Information security is a cohesive set of security measures that organize the storage, processing, and sharing of data within your IT systems and networks to ensure the integrity, confidentiality, and availability of your information.

What is Information Security?

Information Security (IS) encompasses all measures and processes to protect data within your organization. This is necessary to prevent unauthorized individuals from stealing, altering, or destroying your organizational data. In this article, we take a deeper look and provide examples of how to get and keep your information security under control.

Role and Importance of Information Security

In today’s society, everything revolves around information. Even in industrial companies, production now depends on the right information. Data breaches and data theft can cause severe damage, and the same applies to information that is modified without being noticed.

Protecting your data is therefore crucial, and it extends beyond sensitive organizational data such as financial information and intellectual property. Equally critical is protecting the personal data of customers, students, and employees. All data that can be traced to individual persons must always be stored and processed securely. Even public information that you publish on your website must be protected. Marketing materials, news items, and annual reports may be accessible to anyone, but you still do not want this information to be manipulated without being detected.

Information security is not limited to digital data. Physical records must also be secured and are part of your information security. Today, a large share of reported data breaches still involves physical data such as letters or paper files.

This also highlights the difference between information security and cybersecurity. Because digital systems, by definition, process data, there is significant overlap, but information security covers all information, including records stored as thick binders in a filing cabinet. That also means physical access security to areas such as archives is part of your information security.

Examples of Information Security Measures

In information security, you identify your risks and implement security measures to manage them as effectively as possible. A few examples of such measures:

Access management is an important, if not the most important, information security measure. You want control over who gains access to applications and data within your IT environment and which actions users are allowed to perform. As noted earlier, physical access also matters.
Data encryption. Encrypting data is an important measure to prevent unauthorized users from immediately viewing and modifying it.
Not all data is equally critical from a security perspective. A memo about cafeteria costs is less sensitive than a document containing the draft corporate budget. With data classifications such as public, confidential, and secret, you can easily distinguish different types of data, each with its own set of appropriate security controls.
Device management is important because data is now stored not only on systems but also on employees’ devices. This ranges from laptops to smartphones and tablets. You want the data on those devices to be managed, secured, and even remotely wiped if a device is stolen. This applies to organization-owned devices as well as so-called BYOD (Bring Your Own Device).
Strong data security starts with well-organized data management. It is important not only to know where your data is stored, but also how long you must retain it. Laws often dictate retention periods, but retaining data for too long is also undesirable. The risk of data breaches only increases when you keep information unnecessarily. Your backup management must also be properly organized in case something does happen to your data.
Employee awareness. Despite the importance of technical and organizational measures, it is just as important that employees are aware of all security risks and know what to look out for. Many data breaches are still not the result of a technical hack but of inadvertent mistakes.

These are only a few examples. There are, of course, many other relevant security measures that are directly or indirectly required to prevent data breaches. Consider incident response, notification procedures, network security, patch management, and anti-malware systems.

Information Security Management

Which security measures are useful and necessary in your organization? What is the relationship between the different measures, and how should you implement them in your organization? You must plan and manage your information security with a cohesive Information Security Management System (ISMS). Such a system allows you to approach information security in a structured way.

You work in a risk-based manner. This means you do not implement measures at random. You work top-down and, based on your business objectives and operations, analyze all potential security risks, their likelihood of occurrence, and their impact. This is how you set priorities and, based on those, you develop and implement security measures.

Moreover, you do not do this once. You repeat it regularly. Based on existing controls, security incident reports, and changes in your organization and environment, you adjust your information security as needed. You modify measures and implement new ones to keep security up to date.

Information Security Guidelines

As a tool for setting up your information security strategy and plans, there are many information security standards. Examples include ISO 27001, Baseline Information Security for Government (BIO), and NEN 7510, a standard on information security in healthcare. There are also sector-specific information security standards for industries such as financial services and education. Depending on the sector, these standards may be advisory, mandatory, or require certification.

Fortunately, these modern guidelines are not dogmatic checklists to be marked off as proof of security. On the contrary, they usually provide an excellent tool for establishing an Information Security Management System (ISMS) within your organization. They support your risk analysis and the setup of a Plan-Do-Check-Act cycle to structure and maintain your information security. They also include practical guidelines for implementing required measures. For example, what requirements should you set for your password policy, and what must your backup management comply with?

Information Security and Privacy

We already mentioned the importance of protecting personal data. As part of privacy legislation, it receives extra attention. In the Netherlands, you must comply with the Algemene verordening gegevensbescherming (AVG). This is the Dutch implementation of the EU’s General Data Protection Regulation (GDPR). Under the AVG, your organization has various obligations when collecting, storing, processing, and sharing personal data.

Some of these obligations are directly related to your information security, because personal data must be properly secured. This is not only against malicious hackers from outside; you also do not want to grant your own employees unlimited access. A concrete example of information security in healthcare: in a hospital, a physician may be granted access to medical records, but a front desk employee may not. This is known as the Principle of Least Privilege and must be built into your information security.

Keep in mind that the AVG itself goes far beyond information security. It also provides a legal framework that specifies which personal data an organization may use, for what purposes, and under what conditions. It also specifies when you must request consent, how to inform individuals, and how to handle data breaches. There is overlap between information security and privacy, but both have distinct roles within the organization.

The Role of IAM in Your Information Security

One of the most popular methods to get your information security under control is modern Identity and Access Management (IAM). Your digital access security begins with strong solutions for user authentication, for determining who is requesting access, and for the associated authorizations and the rights the user receives. Common security measures include usernames and passwords. There are now many additional verification measures, such as Multifactor Authentication (MFA), and biometric methods, such as fingerprint recognition, that are increasingly used.

It is important to realize that, beyond these access technologies, IAM is primarily a complex management challenge today. How do you organize, in large organizations with numerous systems, so that someone only receives access to the strictly necessary applications and data? In a hospital, for example, you want a nurse to have access to medical systems, but only to the records of patients for whom this employee is actually responsible. You want this set correctly not only during onboarding but also when the person later changes roles or departments. It becomes even more complex when contractors work ad hoc shifts across different departments.

You therefore want to automate the issuance and management of access rights fully. As a manager, you also want to verify and demonstrate at any time who has which rights and why, for compliance. This automated identity and access management is therefore an increasingly important component of your information security, and modern IAM solutions such as HelloID are placing greater emphasis on it.