Information Security - Tailor made approach Minimize

When it comes to information security there is no one specific recipe what to do to keep your data secure. However, there are a few things which can be said about Information Security which remain unchanged and universal for years:

  • Everyone can be attacked
  • Attack methods constantly evolve
  • More than one vulnerability need to be present in the system for the attacker to succeed
  • We can reduce the risk of being attacked and minimize consequences of the attack
  • Wide spread vulnerabilities are the ones most commonly exploited

In DMZ IT we believe that efficiency is the value which guides our approach to everything we do. Therefore, we prefer to take a custom made and individually designed approach for each customer. There is no such thing like "one size fits all". Everything we do is in the context of the business activities and the risks it faces.  As a base to our approach we have adapted ISO27000 series of standards.

ISO27000 series provide a framework for Information SecurityManagement System (ISMS) which we tailor to the needs of our customer.

We have created Six Steps approach to Information Security:

  • Step 1 – Assessment of the environment
  • Step 2 – Information Assets Management
  • Step 3 – Risk Assessment
  • Step 4 – Risk Mitigation
  • Step 5 – On-going System Improvement Process

At the first step we would establish exactly what the customer priorities for information security are:

  • What are the most important business objectives
  • Which processes are critical to meet business objectives
  • What the legal environment business is operating– what are the contractual, legal or regulatory requirements related to information security

The next, second step is to identify which of the information assets are critical to support business objectives. That would create a scope for Information Security Management System implementation.

Once we know what customer exact requirements are and we know what we need to protect, we can move to step three – Risk Assessment. We use different methodologies depending on customer specifics e.g.  ISO27005, RiskIT, M_o_R or COSO. Very often we customise them so they become a "tailor made suit".

Step four in our process is to prepare Risk Treatment Plan. In this phase we decide what to do with existing risk to minimize it to the level within customer tolerance level. We can adopt a number of strategies:

  • Application of relevant controls like procedures and policies, putting in place suitable technical solutions, training, etc.
  • Risk transfer – shifting risk to the third party using a form of support, guarantee or insurance contract
  • Risk avoidance – taking steps to remove hazard and exposure, engaging in alternative activity or otherwise 
  • Combination of the above

The entire effort would quickly become outdated without the fifth step - On-going System Improvement Process.

On-going System Improvement Process ensures that newly implemented system will remain valid and will provide benefits to the organization. We adopt Plan-Do-Check-Act approach as recommended in ISO27001:

  • PLAN - Establish policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with overall policies and objectives of an organization.
  • DO - Implement and operate the policy, controls, processes and procedures.
  • CHECK - Assess and, where applicable, measure process performance against policy, objectives and practical experience and report the results to management for a review.
  • ACT - maintain and improve the ISMS. Take corrective and preventive actions, based on the results of the internal ISMS audit andmanagement review or other relevant information, to achieve continual improvement of the ISMS.