An infosec checklist is a must-have for anyboy working with systems, data or infrastructure. It’s not just about keeping stuff secure, it’s about having a framework in place that can analyse, recommend and implement best practice for any data and systems work. It’s about dealing with disaster as much as protecting yourself from it. These recommendations are taken from the ICO website’s infosec checklist and are a great starting point.

1. Risk management

  • Your business has established a process to identify, assess and manage information security risks
  • Your business ensures information security risks are assessed and appropriately managed

Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that information.
You should consider all processes involved as you collect, store, use, share and dispose of personal data. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.
With a clearer view of the risks you can begin to choose the security measures that are appropriate for your needs.

HMG 10 steps to cyber security – Information risk management regime

2. Information Security Policy

  1. Senior management has approved and published an appropriate information security policy
  2. Your business provides management direction and support for information security in accordance with business needs and relevant laws and regulations

A policy will enable you to address security risks in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific policies.
The policy should clearly set out your business’s approach to security together with responsibilities for implementing the policy and monitoring compliance.
There should be a process in place to ensure that information security related policies and procedures are reviewed and approved before implementation.
Policies and procedures should then be given set review dates and reviewed and updated in line with agreed timescales or when required.
It is good practice to have a document in place, which outlines the agreed style that all policies, procedures and guidance documents must follow which has been communicated to relevant managers and staff.

ICO Guide to data protection – Information security
Get safe online – Staff policies

3. Information Security Responsibility

  • Your business has defined and allocated information security responsibilities.
  • Your business has established a management framework to coordinate and review the implementation of information security.

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the security policy. They should have the necessary authority and resources to fulfil this responsibility effectively.
For larger organisations, it is common to appoint ‘owners’ with day-to-day responsibility for the security and use of business systems.
Without clear accountability for the security of systems and specific processes, your overall security will not be properly managed or coordinated and will quickly become flawed and out of date.

ICO Guide to data protection – Information security

4. Outsourcing

  • Your business has established written agreements with third party service providers that include appropriate information security conditions.
  • Your business ensures the protection of personal data that is accessed by suppliers and providers

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services. You must be satisfied that these ‘data processors ‘ will treat your information securely as your business will remain responsible for ensuring the processing complies with the DPA.
You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure they have appropriate security arrangements in place.
You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.
If you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.

ICO Guide to data protection – Information security
ICO – Outsourcing
ICO – Cloud computing
ICO – IT asset disposal
ICO – Model contract clauses – International transfers of personal data
European Commission – Model contracts for the transfer of personal data to third countries
Data controllers and data processors – what the difference is and what the governance implications are.

5. Incident management

  • Your business has established a process to report and recover from data security breaches.
  • Your business ensures the management of data security breaches, including communication of information security events and weaknesses.

Data security breaches may arise from a theft, an attack on your systems, the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure.
However a breach occurs it is important that you deal with it effectively and learn from it. You should have a process to report breaches to management as soon as staff become aware of them, and to investigate and implement recovery plans.
Ideally, you should monitor the type, volume and cost of incidents to identify trends and help prevent recurrences.

ICO notification of data security breaches to the ICO
HMG 10 steps to cyber security – Incident management