Relationships: The information security team and other business teams

Security integration

A collaborative approach is key to providing effective co-ordination of business planning, risk management and auditing.

It's fundamental that an organisation aligns its security implementation with strategic business objectives. This will help to maximise assurance and growth going forward. Regular audits will identify ‘best value’ from changes. This will help make better adjustments sooner and lead to faster progress. 

The business planning group will help align the security implementation programme with the strategic business objectives. For example, potential acquisitions of overseas offices can introduce many possible problems. These include new security threats, new user integration issues, and new infrastructure loading complications. These risks and impacts will need to be scheduled into the security implementation programme. 

The audit teams can highlight where they’re finding significant non-compliances or failures in the current systems to illustrate where ‘best value’ can be gained from changes in processes or technology. 

Each of these interactions with the business functions will ensure the best value service is being provided to the organisation and it will help gain the right level of support and funding for the information security implementation programme. 

Employee rights 

The rights of an individual staff member working for an organisation are dictated by the laws of the country. 

In the UK and the EU, an employee has the right to have their privacy protected. This means that covert monitoring of emails, communications and personal conversations is not permitted. However, it can be undertaken on a case-by-case basis if there’s a compelling reason, for example, if fraud is suspected.   

If covert monitoring is deemed necessary, the advice of the Legal department and the HR department should be sought and a data protection impact assessment for the target should be carried out. 

An organisation should publish its privacy policy to specify what’s expected of employees and what the employer will do to protect the individual’s right to privacy. 

The Investigatory Powers (Interception by Businesses etc., for Monitoring and Record-keeping Purposes) Regulations 2018 (SI 2018/356) provide that organisations and public bodies may lawfully intercept communications being sent via their telecommunications systems for certain legitimate business activities. These activities include establishing whether or not staff using the organisation's telecommunications system are achieving the standards required by the company in the course of their duties. The Regulations are designed to replace (and largely mirror) the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699). 

Intellectual Property Rights 

Whereas UK-GDPR relates to personal data, Intellectual Property Rights (IPR) offer protection to individuals and companies for creative works they’ve produced. IPR can be used to protect many kinds of work, including literary works (like novels and plays) as well as brands, product names, trademarks, and logos. 

Patents grant exclusive rights to exploit an ‘invention’ for a limited period, typically 20 years depending on the jurisdiction and type of patent. However, they’re costly and difficult to obtain and might not provide protection in certain jurisdictions. 

An alternative, which is not always feasible, is to keep an invention confidential as a trade secret. However, this offers no legal protection if the secret becomes known. 

A Non-Disclosure Agreement (NDA) can also provide a legal remedy against revealing a trade secret. 

Registered trademarks provide protection against someone else using an organisation's logos and identification marks. They help to maintain the distinctive identity of the organisation as well as protecting its brand. 

Copyright law was initially designed to protect original artistic works, such as pieces of music. Nowadays, its use can also be applied to software programs, computer games, documents, books, photographs, video files or other types of work made using a computer or generated by a computer. 

The duration of copyright protection differs depending on which country the work was created in. In the UK, the default period for copyright protection is the lifetime of the individual or organisation that created it, plus an additional 70 years. 

In many jurisdictions, copyright is assigned automatically to all published works, but it should be clearly stated on the work by the publisher to make sure there’s no ground for contesting it. In jurisdictions where there’s the ability to register a copyright, doing so will provide evidence of ownership. 

Copyright legislation is prevalent in most developed countries but there are some countries that take copyright less seriously, such as some in Asia and the Far East. There have been several initiatives to harmonise copyright protection internationally, such as the General Agreement on Tariffs and Trades, Trade Related Aspects of Intellectual Property Rights 1993 (GATT TRIPS). Within the EU, there is a directive to harmonise certain aspects of copyright and associated rights in relation to information systems. 

Computer misuse act offences (CMA) 

The CMA addresses four main offences: 

Section 1 Unauthorised access to computer material 

This is the lowest level of offence and is one that many of us might be guilty of at some stage in our lives. If someone found or guessed a password belonging to someone else, then by looking at their files you are guilty of accessing materials without authorisation. This offence carries the risk of being sentenced to six months in prison and /or a hefty fine. 

Section 2 Unauthorised Access with Intent to Commit a Crime 

The difference here is that access is sought with the intent to commit a crime. Phishing emails where someone seeks to obtain bank details to steal money would be covered by this part of the act. 

Section 3 Unauthorised Modification of Computer Material 

This offence relates to the deletion or changes made to files with the intent to cause damage to an individual or company. This offence also covers purposely introducing viruses to other peoples' systems. If you knowingly transmit a virus to others, you are guilty under this section of the Computer Misuse Act. 

Section 3A Making, Supplying or Obtaining Material 

• Making – This includes the writing or creation of computer viruses, worms, Trojans, malware, etc. 
• Supplying – It is an offence to supply or distribute these files to others 
• Obtaining – If you purposely obtain malicious files then you have committed an offence under the Computer Misuse Act 

The misuse of computers can include: 

• Illegal access (hacking) to computer systems
• Illegal interception of information
• Interference with information and systems
• Computer-related fraud and forgery
• Commercial infringement of copyrights
• Uploading or downloading of material without owner's permission, for example, filming someone without their knowledge and sharing it online
• Trafficking in passwords, digital signatures, and encryption keys

Sector specific legislation

For example, the UK Medicines and Healthcare Products Regulatory Agency (MHRA) specify provisions for the pharmaceutical sector; in the US it’s the Food and Drug Administration (FDA). 

The Payment Card Industry Data Security Standard (PCI-DSS) defines regulations for credit card information storage, transmission, and processing. 

The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data. 

The 12 requirements of PCI DSS are: 

1. Install and maintain a firewall configuration to protect cardholder data. 
2. Do not use vendor-supplied defaults for system passwords and other security parameters. 
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks. 
5. Use and regularly update anti-virus software or programs. 
6. Develop and maintain secure systems and applications. 
7. Restrict access to cardholder data by business need to know. 
8. Assign a unique ID to each person with computer access. 
9. Restrict physical access to cardholder data. 
10. Track and monitor all access to network resources and cardholder data. 
11. Regularly test security systems and processes. 
12. Maintain a policy that addresses information security for all personnel. 

Some regulators have guidelines dictating that they should be informed of an incident or breach. In some cases, regulators may have the authority to suspend licenses whilst an investigation is underway. 

As you can appreciate, there is a lot to be aware of and to co-ordinate regarding the various difference aspects of the company. This is why integration and collaboration of between the different facets of the company is so vital. It's especially important in respect to the planning, management and auditing phases. 

What's next?

This is the end of this Course, but next you'll be learning about Information Assurance and the importance of standards.