Contents
- Training: Are all employees aware?
- Information Security: Do you have a team and policy?
- Documentation: Are all documents recorded?
- Human Resources: Are employee documents secure?
- Supplier Management: Your suppliers are also part of security
- Asset Management: Have you created an asset inventory?
- Access Authorization: Who has access to what information?
- Physical Security: “Clean desk and clean screen”
- Operational Security: Are necessary tests and scans performed?
- System Provision: Is security taken into consideration when making system developments?
- Information Security Violation Incidents: What actions do you take when a security breach occurs?
- Risk Assessment: Do you know the risks your business may face?
- Business Continuity: Do you have disaster scenarios?
With the devastating impact of digital transformation, data security has become one of the most hotly debated topics in our country and around the world. Public authorities recognize this concept as a serious national security issue. Businesses now consider data security a vital need to protect against cyberattacks and ensure the sustainability of their operations .
In this article, we’ll examine how data security should be addressed from a business perspective. Data security requires engagement across all departments, from the information systems department to the human resources department. This is a holistic process that requires the involvement of all employees and ultimately aims to become a part of the company’s culture .
From our perspective, we will explain step by step what we have done to maintain this culture as Craftgate, in the process of obtaining and regularly updating both PCI DSS Level 1 and ISO 27001 certifications, as an example.
Training: Are all employees aware?
The first step in data security should be raising awareness . All employees within the company are required to receive regular (at least annual) information security training. At Craftgate, this training covers the meaning of confidential information, the concepts of confidentiality, integrity, and accessibility, the use of company devices, considerations for sending and receiving emails, password setting criteria, security measures to be taken during data transfer, and disciplinary procedures for failure to do so.
Information Security: Do you have a team and policy?
The company should establish an information security team, and its roles and responsibilities should be clearly defined. An information security policy should be developed and published with the input of the information security team and, with management’s involvement, accessible to all employees and stakeholders.
Documentation: Are all documents recorded?
The certification process can be quite extensive, varying depending on the certifications businesses need to obtain regarding data security. It’s crucial to correctly number the plans, procedures, and forms required, record these changes as each revision is made, and keep the documents up-to-date. Therefore, identifying responsible individuals and ensuring order from the outset will significantly simplify subsequent processes.
Human Resources: Are employee documents secure?
The documents required to be included in all employee personnel files are generally considered within the scope of labor law. However, there are also additional documents that must be kept within these personnel files for data security purposes: employee confidentiality agreements, embezzlement reports detailing each company device used, documentation demonstrating that departing employees returned these devices, and reference check forms, if necessary. These documents are among the essential elements to ensure end-to-end data security in human resources.
Supplier Management: Your suppliers are also part of security
Suppliers, as stakeholders from whom a business can receive services in many different areas, constitute a segment where data security is often overlooked. However, these stakeholders, who have a certain level of control over business data, require regular and close monitoring based on the criticality of the data they have access to.
A list of all suppliers from whom we receive services, including information security infrastructure, network security, and server services, as well as human resources, legal, and finance departments, should be compiled, and confidentiality agreements should be signed with all of them. These suppliers should be regularly evaluated based on the criteria determined by the business, the necessary approval mechanisms should be implemented, and work should be suspended or resumed based on the results.
Asset Management: Have you created an asset inventory?
All elements that have value for a business in terms of information security, including software, hardware, contracts, and tools, are considered assets. These assets must be properly classified, including how and where they are physically and digitally stored within the business, who is responsible for them, and what their confidentiality levels are. This allows for a comprehensive inventory of all company assets and their properties to be recorded and kept up-to-date.
Access Authorization: Who has access to what information?
Another issue that should be handled in parallel with the asset inventory is access authorization. All applications actively used by the business are recorded, identifying which employees have access to these applications, who is an administrator, and who has read/edit permissions.
This authorization can be individual, title-based, or department-based. This creates an authorization matrix to prevent unauthorized access outside of this matrix. Removing access when an employee leaves the job is also a critical issue for businesses. In such cases, it would be beneficial to have a checklist to verify access removal.
Physical Security: “Clean desk and clean screen”
For office workers, careful use of desks and computer screens is essential for data security. It’s crucial to adhere to the clean desk, clean screen principle, and for employees to be mindful of this. Furthermore, recording visitor visits and regularly sharing these records with authorities will be beneficial.
Operational Security: Are necessary tests and scans performed?
The purpose of operational security is to determine operational security methods to maximize data security and sustainability of the services offered and minimize potential information loss. Antivirus and firewall use are among these methods. Change management should also be examined under this heading.
Any changes to operating systems must be securely recorded from the request stage to the finalization stage. Performing backup restoration tests, conducting threat intelligence activities, and conducting regular penetration testing and vulnerability scans are essential for ensuring operational security.
At Craftgate, in addition to conducting all of these tests, we also conduct internal and external vulnerability scans four times a year, segmentation tests twice a year, security compliance reports four times a year, and business continuity exercises at least twice a year, covering operating systems, network services, databases, network devices, and similar IT assets.
System Provision: Is security taken into consideration when making system developments?
Certain improvements can be made to applications and operating systems running on information systems. This system development process consists of four phases that operate as a cycle: assessment, definition, test-planning, and installation. Collaboration among teams is critical for planning and implementing each phase separately.
Information Security Violation Incidents: What actions do you take when a security breach occurs?
Security vulnerabilities are an undeniable reality of the digital world. Businesses must transparently record these vulnerabilities and take action to resolve them as quickly as possible.
Risk Assessment: Do you know the risks your business may face?
One of the most important considerations regarding data security is conducting a risk analysis for a business. This involves scaling the business’s potential risks, particularly to information systems, and the potential impacts these risks would have on the business if they materialized, creating a calculation table.
This table then categorizes acceptable risks into those that should be mitigated, transferred, or avoided, based on risks falling below or above certain thresholds. Consequently, actions to be taken based on these risks are determined.
Business Continuity: Do you have disaster scenarios?
A business continuity plan is essential for data security for businesses. As a complement to risk assessment, a number of disaster scenarios are studied based on the relevant risks (Database/Infrastructure/Attack/Human Error/Disaster-Related Risks). Preventive measures and responsible individuals are identified in response to these scenarios.
At Craftgate, we understand that ensuring and maintaining data security is a never-ending, continuous process for a business. This process requires an integrated perspective, significant resources, and significant effort. By proceeding step-by-step and diligently, satisfactory results can be achieved.
