Data protection & information security help

[Russinating]

We're tendering for a public sector project and although half the questions aren't relevant we've been lumped with an Information Security Questionnaire.

I'm having difficulty answering a lot of the questions, simply because we're a small company (3 people) and have no experience or need for a lot of the requirements. However they're obviously all required now and we'd need to put them into action should we win the tender, so I was wondering if anyone could point me in the direction of some answers/guidance/what we should be doing etc.

Questions such as:

3.1 Does your company have policies which refer to information security and data protection? If yes, provide a copy.
5.7 Does the company manage servers and network devices using secure encrypted protocols only?
5.12 Will personal data or sensitive business data be encrypted both in transit and in storage? If so, please describe key management practices and the encryption algorithms used (e.g. SSL, 3DES, AES).
5.15 Does the company correlate security events from different sources?
6.2 Are permissions for access to written or printed material and access to computer systems (i.e. physical and logical access) periodically reviewed and if so how often?

etc etc

Completely understand that these things need to be in place but when there's just 3 of us on 3 computers, in a completely non-IT related sector where data isn't confidential we've not really needed to do much! And have no idea what to put for some of the more complex things (ie what algorithms are used for encrypting stored data).

Thanks in advance!

 

[Narj]

You could argue that client information stored on your computers *is* confidential and should be encrypted (as well as backed up). Maybe they are looking at the potential impact on them if your systems were to be compromised.

I'm not a security officer, but work in IT, so a quick shot at those...

5.7 I imagine will refer to management of infrastructure over protocols such as SSH, HTTPS etc. If you don't have servers or a datacentre then this won't be that relevant. They're probably making sure you're not managing everything over telnet or other unencrypted prorocols.

5.12 Could refer to encryption of your hard drives (storage) and also how you transfer data between sites/machines (transit, eg: VPN with SHA & AES although encryption is uncommon over a private network). It could go as far as using encrypted archive files when sending data via email, then divulging the password over a land line phone. I doubt you have a PKI but I think they may be hinting at that as well.

5.15 I imagine is referring to intrusion detection systems or other security products. Correlation from multiple sources (eg: servers, firewalls, routers) suggests they're asking about smart systems like Arcsight/Splunk or other log analysis tools. How quickly can you tie things together do see if you've had a security breach?

6.2 Is a bit broad. Physical access is obviously, "can unauthorised persons get into the building and get access to your files/computers?". Logical access would be processes such as password complexity policies, ensuring that those in the company only have permissions relevant to their role, those who have left the company no longer have access and those who have moved department only have relevant permissions etc etc. Sounds like they want to know your housekeeping is in order regarding reviews on a periodic basis.

 

[john_s]

For the policies, you could have a trawl round on the net and find some to *ahem* "inspire" your own. Just don't make it too obviously copied - swap things round a bit and re-word parts.

 

[ivrytwr3]

Part of my work is drafting Sy Ops and RMADS and they are very generic; just tailored to fit the requirement.

Have a google for 'Sy Ops' and 'RMADS' - keywords and edit them to fit your work.