Welcome to your Information Security Awareness Training on ISO 27001.

This training is designed to equip you with the knowledge and skills needed to understand the importance of information security and how ISO 27001 can help protect our organization's but also clients' sensitive data. By the end of this training, you will have a clear understanding of key concepts related to information security and ISO 27001 compliance.

But let’s start from the beginning. What is information?

Information generally refers to data that has been processed, organized, or structured in a meaningful way to convey meaning, knowledge, or understanding to someone. It is the result of taking raw data and giving it context, relevance, and purpose.

Information is therefore an asset, which can have a high value to the organization and, consequently, needs to be suitably protected.

Information can exist in various forms, including text, images, audio, video, and more.

• Printed or written on paper

• Stored electronically

• Transmitted by post, mail or any other electronic means

• Visuals e.g. videos, diagrams

• Published on the Web

• Verbal/aural e.g. conversations, phone calls

• Intangible e.g. knowledge, experience, expertise, ideas

Information can be:

• Created

• Owned (it is an asset remember?!)

• Stored

• Processed

• Transmitted / communicated

• Used (for proper or improper purposes)

• Modified or corrupted

• Shared or disclosed (whether appropriately or not)

• Destroyed or lost

• Stolen

• Controlled, secured and protected throughout its existence

In everyday language, information is what allows us to learn, make decisions, communicate effectively, and understand the processes around us. It is a crucial aspect of human cognition, technology, and the way we interact with our environment.

And what is Information Security then?

Information security refers to the practices and measures taken to protect sensitive information from unauthorized access, disclosure, alteration, or destruction. It ensures the confidentiality, integrity, and availability of information. In one phrase, it makes sure that the data is Safe.

Safe from what?

Open

of all incidents investigated involved human error

 

Open

of organisations reported cyber breaches in the past 12 months

 

CIA. Freeze !

While it could come from a (b)Hollywood movie, we are not referring to the Central Intelligence Agency.

Confidentiality, Integrity and Availability are the 3 pillars for establishing a robust and comprehensive information security framework, helping to protect sensitive information and maintain the overall security of their operations.

1. Confidentiality: Ensuring that information is only accessible to those who are authorized to view it. This involves protecting sensitive data from unauthorized access, disclosure, or leakage.

2. Integrity: Guaranteeing the accuracy and reliability of information by preventing unauthorized alteration, modification, or deletion. Data integrity ensures that information remains consistent and trustworthy over time.

3. Availability: Making sure that information and resources are accessible and usable when needed. This involves preventing disruptions, downtime, or loss of access to critical systems and data.

Within our organisation, this means:

• Protecting customer information

• Protecting organizational information

• Protecting information about our colleagues

• Protecting other information we are trusted to work with e.g. clients

• Protecting Personal Data and Personally Identifiable Information also called PII

• In electronic (digital/soft) format – e.g. within IT systems, file storage, removable media (usb drives)

• In hard-copy format – e.g. printed documents

• Even in people’s heads!

GDPR, ISO27001. Is there a difference?

While both GDPR and ISO 27001 relate to data protection and information security, GDPR primarily focuses on the protection of personal data and individual privacy rights within the EU and EEA, while ISO 27001 provides a broader framework for implementing information security management systems in organizations worldwide.

In today's interconnected world, where data breaches and cyber threats have become an ever-present concern, organizations such as ours are seeking effective ways to fortify their information security systems. One globally recognized solution that has emerged to address this challenge is ISO 27001, a comprehensive standard that offers a structured approach to establishing, implementing, and maintaining an organization's information security management system (ISMS).

Unveiling ISO 27001

ISO 27001 stands as a beacon of assurance in the realm of information security. This international standard provides a meticulously designed framework that guides organizations through the intricacies of fortifying their digital defenses. The key focus of ISO 27001 lies in establishing a robust ISMS that not only safeguards sensitive information but also ensures a continuous cycle of improvement to stay ahead of evolving threats.

Advantages of ISO 27001 Compliance

Embracing ISO 27001 compliance is comparable to making a resolute commitment to information security. The benefits it brings are far-reaching and encompass various facets of our organization's operations.

By adhering to ISO 27001, AREMIS signals its dedication to the protection of vital data, fostering an atmosphere of trust and credibility among clients, partners, and stakeholders. The standard's systematic approach to risk management offers a structured methodology for identifying potential vulnerabilities, evaluating risks, and implementing appropriate controls to mitigate them. This, in turn, paves the way for enhanced incident response and recovery strategies.

Crucial Principles Underpinning ISO 27001

At the core of ISO 27001 lie key principles that drive its effectiveness in safeguarding information in a digitized world.

Risk Assessment and Management: Organizations must engage in a comprehensive evaluation of vulnerabilities and threats. This involves meticulously assessing potential impacts and the likelihood of risks. By implementing appropriate controls, organizations such as ours can either mitigate these risks or transfer them to more suitable entities.

Security Controls: ISO 27001 encompasses a range of security measures, spanning technical, administrative, and physical domains. These include access controls, encryption, firewalls, and more. Ensuring that user privileges are appropriately managed adds an additional layer of defense against unauthorized access.

Continuous Improvement: The landscape of information security is ever-changing. ISO 27001 recognizes this and advocates for regular reviews and updates of security measures. By learning from security incidents and near-misses, we can dynamically adapt to emerging threats and technologies, maintaining our security posture in a proactive manner.

By adhering to its principles and undergoing the implementation process, AREMIS can forge a strong shield against potential threats while solidifying our commitment to safeguarding sensitive information in an increasingly complex digital landscape.

Open

Your role in our success?

Information Security (InfoSec) and Data Protection encompass a wide array of aspects. These aspects, in varying degrees, relate to your professional practices and role. It's imperative to know that Information Security and Data Protection are shared responsibilities across the organisation.

It's therefore crucial for you to have a comprehensive understanding of:

• the relevant policies and procedures

• your responsibilities and positive conduct

• the fundamental principles of data classification and labeling

• the reporting mechanisms for InfoSec vulnerabilities and incidents

We expect everyone to be diligent when handling our information and the one trusted by others. Whilst there is no expectation of everyone to be a security expert, it is important that everyone has a security consciousness and conscientiousness in their daily work routines.

As an integral member of our organisation, we would like to emphasize the significance of being well-versed in our security policies, standards, and procedures.

In our commitment of maintaining a robust security posture, several meticulously crafted security policies and procedures have been put in place. These measures are designed to safeguard both our organization and the sensitive information we handle. As you progress in your career journey with AREMIS, it becomes imperative for you to not only be aware of these policies but to also possess a comprehensive understanding of their implications.

The landscape of cybersecurity is ever-evolving, and our security policies are in place to ensure that we stay ahead of potential threats. By adhering to these guidelines, you contribute not only to the protection of our data but also to the overall strength of our organization.

Over the course of your career, you will encounter various security policies and procedures that pertain to different aspects of our operations. It is your responsibility to review these policies periodically and familiarize yourself with their intricacies. Your proactive engagement in this regard not only enhances your professional acumen but also reinforces our collective commitment to security.

In the coming days, we encourage you to set aside time to explore our security policies and procedures and especially the:

• Personal & Mobile device policy

• Acceptable use policy

• Data protection policy

Should you have any questions or require clarification on any aspect, please do not hesitate to reach out to our dedicated security team. Their expertise is here to support you on this journey of understanding and compliance.

In our ongoing commitment to maintaining a secure and resilient work environment, we'd like to emphasize the importance of respecting and adhering to all established security controls. These controls, whether physical, policy-based, procedural, or technological, have been put in place for specific reasons – to protect our operations and data from potential risks.

We urge you not to attempt to bypass or circumvent any form of security control that has been implemented. Each security measure is an integral part of our collective defense against threats, both internal and external.

We want to emphasize that your cooperation in this matter is of utmost importance. Attempting to bypass security controls not only exposes our organization to potential vulnerabilities but also undermines the diligent efforts of our security professionals who work tirelessly to ensure our safety.

By upholding security controls and promptly seeking support when needed, you play an instrumental role in maintaining the security and integrity of our operations. We appreciate your dedication to our organization's security measures and your understanding of their vital significance.

If, at any point, you find that these controls present a challenge to fulfilling your responsibilities, we encourage you to reach out to our Support team. They are here to assist you and find suitable solutions that align with our security protocols.

Open

The Four Classification Levels

1. PUBLIC: This level encompasses information that is meant to be shared widely with no restrictions on its use. It is open to the public domain and does not harbor sensitive content. However, even in its openness, this information should be treated with care to ensure accuracy and reliability.

2. INTERNAL: The default classification level, this pertains to information that, while not sensitive in nature, is intended solely for internal use. This includes materials like project documents. It's important to keep in mind that even though this information might not be highly confidential, its internal nature mandates its protection from external exposure.

3. CONFIDENTIAL: Stepping into a higher tier of sensitivity, this level involves information that, if disclosed without authorization, might lead to some negative publicity. While the consequences may not be catastrophic, it's vital to maintain a strong guard over such information, such as AREMIS Corporate Information.

4. HIGHLY CONFIDENTIAL: At the zenith of classification, this level deals with information whose unauthorized disclosure could have severe repercussions. Financial and reputation damage, including fines from regulatory bodies, are potential outcomes. This includes Personally Identifiable Information (PII) which, if mishandled, can lead to grave consequences.

Mastering Handling Protocols

Understanding the nuances of each classification level is just the beginning. Knowing how to handle information at each level is equally crucial.

• PUBLIC: While this information is intended for wide dissemination, accuracy is paramount. Ensuring that the information is up-to-date and reliable maintains the organization's credibility.

• INTERNAL: Even though this classification level is not highly sensitive, it is still meant exclusively for internal eyes. Sharing it externally, even inadvertently, can breach trust and potentially lead to complications.

• CONFIDENTIAL: Safeguarding information at this level necessitates vigilant protection. Unauthorized disclosure might not be catastrophic, but it can still impact the organization's reputation. Limit access to individuals who require information for their roles.

• HIGHLY CONFIDENTIAL: The utmost caution must be exercised with information classified as highly confidential. Access should be restricted to only those who absolutely require it. The potential consequences of mishandling this information are significant.

A dedicated article about our Data Classification & Labeling is available in our Assist Pages

Trust your instincts. If something “feels” wrong, it probably is and you should increase your vigilance.

Your vigilance plays a crucial role in upholding the security of our organization's valuable information. We want to emphasize the importance of immediate reporting if you encounter any potential vulnerabilities, unusual activities, or breaches in our information security.

Should you ever see, hear, or identify any sign of a weakness in our security measures, an anomaly in activity, or an actual breach of our information security, we urge you to take swift action. Report your observations directly to our security or support team. Your prompt reporting could make all the difference in safeguarding our organization from potential threats.

It is essential to note that if you do come across such situations, please refrain from attempting to investigate them on your own. Investigations require a specialized approach and involve intricate procedures that must be conducted by our trained security personnel. Attempting to probe into these matters independently could inadvertently compromise an ongoing investigation or tamper with critical evidence.

At times, the impact of security breaches can be significantly mitigated or even prevented altogether through early reporting. History has shown that some of the most notable security breaches reported in the media could have been less severe had they been reported promptly.

Your personal safety is however more important than any security requirement from the organisation.
DO NOT attempt to “be a super hero” for the sake of protecting organizational equipment, devices or information.

To finalise this training, we also wanted to give you some guidance in the basic principles of securing your work environment and

1. Avoid free wifi in coffee houses and other public retail spaces – and assess the risk whether it is okay to do so in hotels (e.g. when at conferences).
   Don’t believe me? See by yourself.

2. DO NOT use personal devices for work purposes, unless explicitly authorized by management and vice versa, do not use corporate devices for personal purposes.

3. Keep your passwords and other secret identification information confidential.

   1. It takes 28 seconds for a hacker to crack an 8 characters password. Use Multi-Factor Authentication whenever possible.

   2. If you suspect your password has been compromised, change it immediately and contact support for help.

   3. DON’T write passwords on sticky notes or the inside of your notebook!

   4. NEVER share passwords in a mail or chat! Check our dedicated article about this topic.

4. If you receive spam email, flag it as SPAM or PHISHING. How? More information here.

   1. Be very careful with email attachments and links, especially in unsolicited emails (most are virus-infected)

   2. Use corporate email for business purposes only

5. Would you leave the boot with your card in when at the bank? Same with your computer, lock it when you leave it, even for a quick pause at the coffee corner. Lock your Windows PC automatically when you step away from it

Open

What’s next? 5 simple steps…

Open

Go and Visit our Information Security channel

Verify the channel notifications settings on the top right and allow All Activity notifications

Read the articles that are posted on regular interval on the channel

Take a careful and in-depth look to our Information Security Policy Pack

Complete this training by validating the link in the email or teams
and certify you’ve “Read & Understood” the content of this training.

Do you need more help or want more information about Information or Cyber security?

• Discuss about your concern directly with your manager

• Send an email to security@aremis.com

• Call our hotline +32 2 899 70 77

Contacts