Information Commissioner’s Office launch IT Security Guide for Small Businesses

Today the Information Commissioner’s Office (ICO) announced it had produced “A practical guide to IT Security” with the subheading that this is “Ideal for the small business.”

At the time of writing, the ICO press release announcing the IT Security guide appears to be having trouble (what looks like an infinite redirect loop is in place), but the document itself is still available for download directly.

The driver behind this publication appears to be the result of the ICO wanting to address the fact that an unfortunate number of small – medium enterprises (and some larger ones…) are woefully unaware of what they should be doing to implement basic good practice security measures.

Presented in an easy to read manner, this guide does not attempt to drill down into your security controls (except on a few occasions) but, rather, gives a higher level overview including a checklist you can follow to ensure you have at least considered the major security areas.

Overall, this is a useful, albeit basic, piece of guidance with no glaring errors. Properly implementing the measures mentioned will certainly improve your overall security posture – but as always, the devil is in the details. A guide like this is never going to cover ever situation and you should always make sure your security controls are driven by a sensible risk management approach and add value to your organisations security rather than being a way of complying with an arbitrary checklist.

Where some small enterprises may struggle is in working out how to follow the guidance given, for example it says

• Some mobile devices support a remote disable or
wipe facility. This allows you to send a signal to a
lost or stolen device to locate it and, if necessary,
securely delete all data.

– Your devices will need to be pre-registered with a
service like this.

And it is far from clear as to how the business should implement this sort of measure – or even if they should as it can be an overly expensive approach for a lot of SMEs.

However, minor quibble aside, this is a useful document and we would fully recommend that all size of organisation read it and take on board the big-picture advice it gives.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.