There are well-known cases in the health, education and financial sectors where the electronic storage of private information has come under attack. However, this threat should also concern the electronics design industry.
If you have sensitive information saved on servers or online such as concepts, designs for manufacture, financial records and customer details then it is wise to protect your business. Andy Mills, Lead Auditor at IMS International discusses the benefits of gaining ISO /IEC 27001.
In an environment where trusting technology to store, manage and share data is the norm and data storage applications such as cloud-based systems develop year-on-year, introducing a robust information security management system is an increasing business requirement for electronics designers.
Many tenders are now specifying ISO/IEC 27001:2013 as a prerequisite acknowledging it as a business asset. The latest version of this global standard for information security was published in 2013 by the international organisation for standardisation (ISO), in collaboration with the International Electro-technical Commission (IEC). It defines a risk-based management system for protecting information and information processing facilities. Although the title is ‘information security management system’, it includes requirements for physical security.
Identify risks, take control
It is essential for any business, no matter its size, to proactively address information security issues and this standard is a first line in defence against hackers, viruses and the theft of intellectual property. It ensures that your information security is under control through specified and audited management systems. It also raises awareness across the company on the possible threats to information and how to put procedures in place to protect it.
However, it’s not unusual for smaller businesses to fear an overly bureaucratic management system which creates lots of paperwork or undue procedure to slow them down and form a ‘straight jacket’ for their company. For these modern versions of ISO standards, while there is mandated documentation, it is very light compared to what they used to be, for example a process can now be documented as a single page flowchart.
From a customer’s viewpoint, accredited certification to the standard demonstrates that your business is following international information security best practices, that it has been audited by an approved certification body and ultimately provides them with the reassurance that their information is protected.
Multi-layered information security strategies are key
To implement an effective information security management system, the starting point should be understanding a company’s context in the market. It helps to do some ground work to identify any internal and external issues that can affect the organisation and its information security confidentiality, integrity and availability (CIA). It is also important to identify the interested parties and assets (tangible, intangible assets including data, particularly sensitive and personally identifiable data). Once identified you can risk assess the assets (the things needing to be protected) and identify the security controls needed. Consider the ‘rule of three’, i.e. ensure three layers of protection between the asset that needs protection and the threat. A layer only serves to delay a perpetrator and is never totally secure. Therefore, the response capability is all important and needs to be tested/rehearsed to be effective.
A multi-layered information security strategy can apply equally to electronic products and systems, particularly to complex systems such as the Internet of Things (IoT). IoT is comprised of devices and communications infrastructure which hold and transfer information which can be sensitive or important, thus requiring protection, i.e. information in the system that needs to be managed.
Information security in electronic products
A crucial element of ISO/IEC 27001 for the electronics industry is its information security processes for systems design and development and an important control is the use of secure systems engineering principles.
It covers the ‘functional’ activities of a business such as the product development lifecycle, taking it from concept, design, development, test and production, through to support, maintenance and end-of life - as well as ‘non-functional’ activities such as the business administration which enables an organisation to perform the functional aspects of developing and delivering electronic products to market.
As well as helping to adopt and maintain an effective and secure development policy, it will also offer control of any outsourced development, supplier relationships and test data. It is also important for any electronic products that may store potentially sensitive data as ISO/IEC 27001 provides a control for media handling and secure disposal too.
Working together with GRC
Compliance with requirements, obligations and applicable legislation and regulation is important for all organisations, including intellectual property. ISO/IEC 27001 embraces governance, risk and compliance (GRC) in its requirements for an information security management system and the 114 information security controls it specifies.
With many cases of data theft, it is a human resources issue. The security controls cover HR functions such as roles and responsibilities of employees, contractors and third party users. It gives you the processes to perform security screening and background verification checks on all candidates for employment, contractors and third parties, and have both robust terms of employment in place and termination processes to ensure that assets are returned and access rights removed.
It is also important to raise awareness of information security risks within the business and to educate personnel within the organisation. As long as the security control systems are in place, data sharing control among staff can be developed to improve production processes, so there are many benefits.
Why risk it?
ISO/IEC 27001 is an information security management system which can be applied to organisations and electronic products. It can also be applied to the management of electronic systems and infrastructure such as IoT. A management system is about in-life, business as usual activities to ensure the necessary security controls remain appropriate and effective. To ensure appropriate controls are selected and implemented, the management system requires a risk-based approach for identifying assets, such as data and devices, that need to be protected and through a systematic approach based on GRC helping you implement and operate an effective and secure system.