homepage_0_3

Information security

For the scenarios, situations have been chosen that are realistic, but could also occur in another context within your organisation. The following questions are designed to give an impression of whether the described scenario is relevant in your organisation.

Questions for your organisation:

  • Is the situation recognisable?
  • Is the situation realistic (or realistic in another context?
  • What are the vulnerabilities in this situation?
  • What are the possible consequences of this situation?
  • What control measures can be taken to prevent the scenario?
  1. 1

    Cyber-attack

    The network of the organisation has been inaccessible for some time due to a cyber-attack. Once access to the network has been restored, the question arises whether sensitive information is/was accessible to third parties, and whether the information is still present and intact on the network.

    Informatie_scenario_1_cms

    The computer network of an organisation with a high-risk laboratory often contains sensitive information. After a cyber-attack it is important understand what sensitive information may have been accessible. However, it is even more important to adequately shield sensitive information or not to share it via a network at all. Examples of securing sensitive information are the use of standalone computers (not connected to the network or to the internet), or encryption. Your ICT department may be able to advise you on this.

    Other relevant biosecurity pillar of good practice: awareness, management

    • Sensitive information can consist of the locations at which high-risk pathogens are stored, but also results of research on such pathogens. Leakage of sensitive information can cause reputational damage, but it can also make the organisation more vulnerable to possible misuse, or theft.
    • If recent backups are not available, this can affect the availability of information and operational continuity.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  2. 2

    An USB drive is lost

    An employee must complete a confidential report. He decides to work at home and takes sensitive information with him on an USB drive. Over time the USB drive becomes lost, making sensitive information potentially accessible to unauthorised people.

    Informatie_scenario_2_cms

    Many organisations offer possibilities for working from home or flex working. This underlines the importance of secure transferability of data (hardcopies, USB drives, shared folders, remote access). Especially for sensitive information, it is important that data is well protected, for example by means of encryption, or with additional layers of security during remote access.

    Other relevant biosecurity pillar of good practice: awareness

    • When sensitive information is not 'transported' correctly, there is a possibility that it will become available to third parties unwillingly due to negligence or theft.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  3. 3

    Authorised access only

    During a conference you want to discuss your recent research results with a colleague. You open a presentation on your laptop, which happens to be connected to an unsecured Wi-Fi network.

    Informatie_scenario_3_cms_0

    By using unsecured networks, sensitive information can become accessible to unauthorised persons.

    Other relevant biosecurity pillar of good practice: awareness

    • A wireless network is vulnerable to interception of wireless communication.
    • Mobile devices are also vulnerable to theft or loss, as a result of which the stored data can fall into unauthorised hands.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  4. 4

    Sending confidential information via email

    As part of an international collaboration, in which experiments are carried out in a high-risk laboratory at BSL-3 level, techniques and results are mainly communicated via email. This is performed both with colleagues within and outside of the organisation.

    Informatie_scenario_4_cms_0

    To send information via email, it is advisable to first check whether the information in question is classified. In addition, it is important to check whether both the sender and the receiver use a secure mail server. If there is a specific classification, or if the mail server is not sufficiently secure, then you should consider sending the information by courier.

    Other relevant biosecurity pillar of good practice: awareness

    • Failure to comply with prevailing legislation.
    • Reputational damage and operational risk.
    • Data leaks.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?