Laptop with code graphic on screen a person touching the screen creating a glow.
Information Security

Are Your Information Assets Secure?

Published: December 20, 2016
Laptop with code graphic on screen a person touching the screen creating a glow.
Information Security

In December 2016, we held an information session for clients and staff on the benefits of their ISO 27001:2013 training course, which teaches auditors the key processes and approaches a business needs to manage information security risks.

The information session was attended by a wide ranging audience including clients’ CEOs and COOs to individual management systems auditors, and while we had them all in the same room, we took the opportunity to conduct a short survey to find out how they approach the security of their organisation’s informations assets.

Some very surprising results came out of the survey, for example, when asked whether responders would know if their information or data was breached or hacked, 53 per cent said they wouldn’t be sure. Worryingly, more than half of all responders also said their business didn’t have an inventory of their information security assets or if they did, it was rarely updated.

In keeping with PwC’s purpose of building trust in society and solving important problems, we can help clients ‘reimagine the possible’ and align their information security framework to the international standard and train their workforce in information security controls and processes to address security risks.

Are your assets secure? Infographic from PwC's Auditor Training & Certification

 

Are your Information Assets Secure?

We quizzed organisations about their information security systems, and found that not everyone is as prepared as they perhaps should be.
7 key areas of ISO 27001:2013, the international standard for Information Security Management Systems, were identified.

1. Would you know if your information or data was breached or hacked?

82% of respondents wouldn’t know, or are unsure of whether they would know if their data was breached. Pending changes to the Privacy Act will mean that all organisations with an annual turnover of more than $3M will need to report to the Privacy Commissioner all breaches, whether actual or suspected, which result in a loss of personal information.
Full control of your security risks is not only a demand from your customers, but may end up being mandatory under the law.

2. Do you have different levels of classification for the information that you store?

42% of companies surveyed don’t classify the information that is generated and stored. This means that the email about your potential business strategy, or your staff’s personal information, is treated the same as that email to your partner to buy milk on the way home. Of the 58% that do classify their information, the question still stands as to whether or not their system is applied consistently across the board.
Information is required to be classified, then labeled and handled according to its level of classification. It’s obvious that things like credit card details and personal information need to be secured differently to information about the stationery order or the lunch menu, however many organisations seem to lack a formal process around this.
(ISO 27001:2013 Annex A, A.8.2.1 – Classification of information)

3. Do you allow your staff to work flexibly from home?

Flexible working environments are definitely here to stay – however this poses its own set of risks. Are your organisation’s top secrets safe in someone else’s home, or on a personal device?
56% of companies allow work from personal devices. Whilst companies can control the security and maintenance on devices that they own, it is much harder to control your employees’ own devices.
Are they the Achilles’ heel of your system?
(ISO 27001:2013 Annex A, A.11.2.6 – the security and protection of equipment and information off-site)

4. Do you have an inventory of all your information security assets?

Information is an asset, and like other business assets, it is essential to an organisation’s value. Nearly a quarter of respondents don’t have an inventory at all, and just over a quarter have one, but don’t keep it up to date.
Information assets, in comparison to other business assets, can change rapidly. Regular reviews and amendments of the information asset register are crucial to identify information and to set the appropriate level of classification and protection required.
How can you control something if you don’t know what you have?
(ISO 27001:2013 Annex A, A.8.1.1 – Inventory of assets)

5. Do your staff leave documents on desks or unlocked screens unattended?

ISO 27001 sets out controls for both unattended user equipment and clear desk and screen policies. Almost three quarters of respondents admitted that information is left unsecured either during the day or overnight.
Flexible, collaborative and open plan working means protection from wandering eyes is more crucial than it was in traditional offices; and with most of us how having a smartphone, one click and send can mean your information has gone viral.
(ISO 27001:2014 Annex A, A.11.2.8 – Unattended user equipment and A.11.2.9 – Clear desk and screen policy)

6. Are all your staff members aware of, and trained in your company’s information security processes?

One of the biggest risks to any organisation with regard to information security is its people, however over a fifth of employees are not trained in information security at all, and a further third are only trained at induction.
The success of keeping information secure is everyone’s responsibility, and we need to ensure that all staff know and are fulfilling their responsibilities.
(ISO 27001:2013, Annex A, A.7.2.2 – Information security awareness, education and training)

7. Who leads your information security system?

One third of companies defer the information security responsibility to the IT department. To ensure information security objectives are established, integrated, resourced and achieved, leadership and commitment by top management are essential.
Information security risks affect more than just the IT department. Leaders need to understand the financial and
reputational impact of information loss.
(ISO 27001, Refer 5.5 Leadership)

To learn more about how ISO 27001 can help you secure your data, click below:

https://training.au.pwc.com/our-courses/information-security/

Back to Blog

“Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

“The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

“Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

“Very informative and enjoyable course. Excellent materials and tools in the course and to take home. Excellent value for money. The trainer did a great job of keeping us engaged and learning. I will do future training through PwC.”

Need help finding a course?

Speak directly with a member of the Training Academy team to decide which course is right for you.

We are a community of solvers combining human ingenuity, experience and technology innovation to deliver sustained outcomes and build trust.

It all adds up to The New Equation.

See how The New Equation can solve for you

×
Menu