Mar 2009

Information Security used to be easy to understand. A professional adviser would hold extensive confidential information about its clients but would restrict access to the files by keeping them in a locked cabinet or a safe.

Procedures would seek to ensure that the wrong people did not gain access to the files and that information from them was not left lying around anywhere (such as in the photocopier).

Nowadays, of course, most information is kept in electronic form and its intangible nature makes it harder for the ordinary person to understand what is and isn’t a risk. But risks there are and two examples will be familiar to most people:

• How should one organisation send detailed and confidential personal information to another organisation? The first step would be to extract the information from the computer system it’s on and one way of doing that might be to write the data onto disks. The disks could then be sent to the other organisation and the data loaded onto its IT systems. So why not just pop the disks in the post? That’s the easiest way, surely.

• Some poor, probably non-malicious, individual is being threatened with extradition, having sat at home in his bedroom and having hacked into the computer systems of another country’s military. Shouldn’t that be impossible? 

At Dominion we are committed to protecting the integrity of our clients’ confidential information (and that of our employees and business partners too). That means we not only have to understand how to keep it safe today but we will have to keep up with developments in data security as IT systems evolve.

That is why we have committed to achieving ISO 27001 compliance: because to do so will verify our data security capabilities not only today but going forward also.

ISO 27001 compliance ensures effective, secure information-management practices that protect our business and our compliance with data protection, privacy and computer misuse regulations.

The ISO 27002 standard is endorsed by the OECD and Basel Committee and in the US by the Sarbanes-Oxley Act (SOX) and the Federal Information Security Management Act.

Information security may once have meant keeping the safe keys out of harm’s way but now it means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.

ISO 27002 covers known security issues (11 guiding principles), contains many well-considered control requirements and steers companies along a quantifiable path of assessment and improvement.

When we achieve accreditation (we are currently about three quarters of the way there) it will formally demonstrate to clients, employees and business partners that Dominion takes information security seriously.

Many clients enquire about the level of information security management deployed throughout the organisation and Dominion is often required to produce evidence regarding the security and confidentiality of the data we hold on behalf of others. Because our systems will be regularly audited, ISO 27001 gives everyone confidence that we can provide independent proof that we keep our information secure.

Quality is an ongoing process and this shows that we're continually aiming to improve.

In summary, the current and increasing degree of dependence on information systems and services means that organisations are potentially ever more vulnerable to security threats and failures. Particularly when it comes to client data and confidentiality, there is no room for error. That is why we are pursuing ISO 27001 certification.