So in this article I will once again upset and annoy some tech folk who hide behind certifications and standards instead of actually putting in place measures to protect your data.
The first is ISO27001 – a framework built around Information Security Management Systems (ISMS).
Risk Management – You have to perform your own internal assessments continually.
The second is Data Sovereignty – If your data is stored inside Australia then you and your data is protected by Australian law (The law doesn’t always apply).
While I understand both play a role in helping keep your data safe, I have never seen either actually keep your data safe; hence I will not hide behind them and use them as selling points.
It DOES NOT matter where your data is located; when your local server or cloud hosted server allows unlimited login attempts from anywhere, including Russia, China or North Korea and your remote access authentication mechanisms are flawed.
- Do you use 2 Factor Authentication? Or can someone login using the username of Shaun and a dictionary word like Eucalyptus
- Is your username/password combination unique and complex?
Do you control what your staff can access?
- Do your staff have dropbox or similar installed and can siphon out sensitive data?
- Can they access personal email and therefore send themselves sensitive documents?
In those scenarios the onus is on you, the business owner or manager to mandate your own controls and methodologies around protecting your data. When your information is stolen from an insider without your knowledge or a hacker gains control of your system no framework or law will help you, it’s already too late.