homepage_0_3

Information security

  1. 1

    Informatie_vraag_1_cms_0

    Information security is a process cycle. Risk analyses and risk management are essential components of the Information Security Management System (ISMS) of an organisation. The goal of an ISMS is to identify risks. When risks are identified, control measures can be prioritised, accepting residual risks. The smooth execution of the ISMS cycle is essential for effective information security management.

    To what extent does your organisation have an up-to-date information security policy?

    To what extent does your organisation have an up-to-date information security policy?

    Information security is an essential biosecurity pillar of good practice. The ISMS cycle is important for the operational continuity of your organisation. For example, if your organisation works with personal data, you probably have to comply with national legislation. For countries within the EU, this is the General Data Protection Regulation.

    Risks

    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • For a comprehensive overview of the current state of information security in your organisation, you can perform, for example using ISO 27001 (ISO 27001: 2013, Information technology - Security techniques - Information security management systems – Requirements).
    • In the Netherlands, NEN 7510 Health informatics Information security management in healthcare contains a description of the plan-do-check-act cycle of the ISMS (Appendix A of NEN 7510).
    • To maintain an overview of services provided by third parties to your organisation, consider contracts, such as a Service Level Agreement, or Service catalogue, to monitor services provided, and/or Assurance reports, which provide information about risk management and the reliability of services provided.
    • If personal data is used, the roadmap of the Dutch Data Protection Authority can be helpful to be prepared for the General Data Protection Regulation.

    Information security is an essential biosecurity pillar of good practice. The ISMS cycle is important for the operational continuity of your organisation. Establishing, implementing, monitoring, maintaining and improving the ISMS is a continuous cycle that safeguards the security of your organisation. Delegating supervisory responsibilities and ensuring accountability is also part of this cycle, and is similar to dealing with security incidents or data leaks. If your organisation works with personal data, you probably have to comply with national legislation. For countries within the EU, this is the General Data Protection Regulation.

    Risks

    • Inability to safeguard interests such as operational continuity of the organisation.
    • Reputational damage or other risks if information security and biosecurity are not in order.
    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • For a comprehensive overview of the current state of information security in your organisation, you can perform, for example using ISO 27001 (ISO 27001: 2013, Information technology - Security techniques - Information security management systems – Requirements).
    • Ensure that experts from various disciplines within your organisation participate in the ISMS so that information security is safeguarded to benefit biosecurity. Consider combining expertise on high-risk pathogens, biological security and information security.
    • NEN 7510 Health informatics Information security management in healthcare also contains a description of the plan-do-check-act cycle of the ISMS (Appendix A of NEN 7510).
    • To maintain an overview of services provided by third parties to your organisation, consider contracts, such as a Service Level Agreement, or Service catalogue, to monitor services provided, and/or Assurance reports, which provide information about risk management and the reliability of services provided.

    Information security is an essential biosecurity pillar of good practice. The ISMS cycle is important for the operational continuity of your organisation. Establishing, implementing, monitoring, maintaining and improving the ISMS is a continuous cycle that safeguards the security of your organisation. Delegating supervisory responsibilities and ensuring accountability is also part of this cycle, and is similar to dealing with security incidents or data leaks. If your organisation works with personal data, you probably have to comply with national legislation. For countries within the EU, this is the General Data Protection Regulation.

    Risks

    • Inability to safeguard interests such as operational continuity of the organisation.
    • Reputational damage or other risks if information security and biosecurity are not in order.
    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • For a comprehensive overview of the current state of information security in your organisation, you can perform, for example using ISO 27001 (ISO 27001: 2013, Information technology - Security techniques - Information security management systems – Requirements).
    • Ensure that experts from various disciplines within your organisation participate in the ISMS so that information security is safeguarded to benefit biosecurity. Consider combining expertise on high-risk pathogens, biological security and information security.
    • NEN 7510 Health informatics Information security management in healthcare also contains a description of the plan-do-check-act cycle of the ISMS (Appendix A of NEN 7510).
    • To maintain an overview of services provided by third parties to your organisation, consider contracts, such as a Service Level Agreement, or Service catalogue, to monitor services provided, and/or Assurance reports, which provide information about risk management and the reliability of services provided.

    This question is not applicable

  2. 2

    Informatie_vraag_2_cms

    Information security has three areas, and 'availability and continuity' is one of them. Examples are availability and continuity of ICT systems, building management systems, for instance maintaining negative pressure in laboratories, but also storage of data, physical security and authorisation of spaces. When, for instance, a ICT network fails employees must be able to continue their work as quickly as possible and dangerous situations should be avoided. Security conscious and well-trained employees are important to restore operations as soon as possible in the event of incidents.

    How does your organisation test and safeguard availability as part of information security?

    How does your organisation test and safeguard availability as part of information security?

    An important aspect is resilience of the organisation in case of incidents and calamities (see also biosecurity pillar of good practice ‘Emergency response’). Do employees know what to do in case of an incident? It is of the utmost importance that an information security incident is detected and reported, in order to restore operations as soon as possible and to prevent damage.

    Risks

    • Operational continuity cannot be guaranteed
    • Biosafety cannot be guaranteed
    • Biosecurity cannot be guaranteed

    Measures

    • Biosecurity awareness of employees is important. Train employees and practice scenarios.
    • If necessary, report incidents, theft or other matters that, impede the availability or continuity of information.

    An important aspect is resilience of the organisation in case of incidents and calamities (see also key area ‘Emergency response’). It is of the utmost importance that an information security incident is detected and reported, in order to restore operations as soon as possible and to prevent damage. Do employees know what to do in case of an incident? It is important that systems are tested and that employees are qualified and trained to deal with incidents. Testing these aspects in the information security cycle is needed to identify vulnerabilities and risks and to take control measures.

    Risks

    • Operational continuity cannot be guaranteed
    • Biosafety cannot be guaranteed
    • Biosecurity cannot be guaranteed

    Measures

    • Provide additional security personnel if building management systems fail (access control, authorisation control, maintaining negative pressure in high-risk laboratories, etc.).
    • Provide backup systems such as emergency units and data backup.
    • Biosecurity awareness of employees is important. Train employees and practice scenarios.
    • If necessary, report incidents, theft or other matters that, impede the availability or continuity of information.

    Your organisation is vulnerable if back-up systems are lacking, bringing operational continuity at risk. Backup systems are an important part of the resilience in response to incidents and calamities (see also key area ‘Emergency Response’). It is of the utmost importance that an information security incident is detected and reported, in order to restore operations as soon as possible and to prevent damage. Do employees know what to do in case of an incident? It is important that systems are tested and that employees are qualified and trained to deal with incidents. Testing these aspects in the information security cycle is needed to identify vulnerabilities and risks and to take control measures.

    Risks

    • Operational continuity cannot be guaranteed
    • Biosafety cannot be guaranteed
    • Biosecurity cannot be guaranteed

    Measures

    • Provide additional security personnel if building management systems fail (access control, authorisation control, maintaining negative pressure in high-risk laboratories, etc.).
    • Provide backup systems such as emergency units and data backup.
    • Biosecurity awareness of employees is important. Train employees and practice scenarios.
    • If necessary, report incidents, theft or other matters that, impede the availability or continuity of information.

    This question is not applicable

  3. 3

    Informatie_vraag_3_cms_0

    The subject of ‘integrity’ or reliability’ describes the extent to which data, IT services or IT resources are correct, complete and up-to-date. As an example, authorisation systems must be correct, complete and up-to-date (see also key area ‘Physical security’). In addition, prevention of (identity) fraud, theft, or hacking of computer systems should be taken into consideration as well.

    To what extent does your organisation have a policy to safeguard the integrity of information security?

    To what extent does your organisation have a policy to safeguard the integrity of information security?

    The information security policy regarding integrity and reliability sets out the importance organisation attaches to integrity. This includes not only requirements for the reliability of services and software, but also to what is expected of employees and who takes which roles in this process. Security conscious, reliable and well-trained employees are essential for the continuity of your organisation.

    Risks

    • If unsecure software, apps or web applications are used, third parties may gain access to your information.
    • If it is unclear where data is stored and who manages it, third parties may gain access to your information (e.g. software, apps or web applications and online data storage).

    Measures

    • Use secure software. The Open Web Application Security Project (OWASP) is a global non-profit organisation aimed at improving the security of software.
    • Provide rules and guidelines for online data storage (cloud, email, etc.).
    • Share data and information only on the 'need to know' principle.
    • Make sure that digital transmission is encrypted. Consider multifactor authentication as well.
    • The organisation can impose requirements on suppliers of services/web services with regard to securing vulnerabilities in an application.
    • Ensure that integrity is restored as soon as possible during or after an incident.
    • Ensure that employees are reliable and ethical by sharing rules and guidelines. Train and educate them with respect to integrity and integrity awareness, dealing with social media and dealing with information carriers (USB drives, laptops, digital and paper files).
    • Ensure that employees can report or share integrity issues (anonymously if they prefer).

    The information security policy regarding integrity and reliability sets out the importance organisation attaches to integrity. This includes not only requirements for the reliability of services and software, but also what is expected of employees and who takes which roles in this process. If not all employees are aware of this, your organisation may be vulnerable to fraud, embezzlement or theft. Security conscious, reliable and well-trained employees are essential for the continuity of your organisation. Monitoring and supervision are necessary as well, to ensure an effective information security cycle.

    Risks

    • If authorisation systems are not up-to-date and correct, unauthorised persons may be able to access sensitive information.
    • If unsecure software, apps or web applications are used, third parties may gain access to your information.
    • If it is unclear where data is stored and who manages it, third parties may gain access to your information (e.g. software, apps or web applications and online data storage).

    Measures

    • Use secure software. The Open Web Application Security Project (OWASP) is a global non-profit organisation aimed at improving the security of software.
    • Ensure that internal control and supervision is in order.
    • Provide rules and guidelines for online data storage (cloud, email, etc.).
    • Share data and information only on the 'need to know' principle.
    • Make sure that digital transmission is encrypted. Consider multifactor authentication as well.
    • The organisation can impose requirements on suppliers of services/web services with regard to securing vulnerabilities in an application.
    • Ensure that integrity is restored as soon as possible during or after an incident.
    • Ensure that employees are reliable and ethical by sharing rules and guidelines. Train and educate them with respect to integrity and integrity awareness, dealing with social media and dealing with information carriers (USB drives, laptops, digital and paper files).
    • Ensure that employees can report or share integrity issues (anonymously if they prefer).

    The information security policy regarding integrity and reliability sets out the importance organisation attaches to integrity. This includes not only requirements for the reliability of services and software, but also what is expected of employees and who takes which roles in this process. If not all employees are aware of this, your organisation may be vulnerable to fraud, embezzlement or theft. Security conscious, reliable and well-trained employees are essential for the continuity of your organisation. Monitoring and supervision are necessary as well, to ensure an effective information security cycle.

    Risks

    • If authorisation systems are not up-to-date and correct, unauthorised persons may be able to access sensitive information.
    • If unsecure software, apps or web applications are used, third parties may gain access to your information.
    • If it is unclear where data is stored and who manages it, third parties may gain access to your information (e.g. software, apps or web applications and online data storage).
    • Permanent and temporary employees who are unaware of information security, or who are unqualified or untrained, pose a risk for integrity and for the organisation.

    Measures

    • Use secure software. The Open Web Application Security Project (OWASP) is a global non-profit organisation aimed at improving the security of software.
    • Ensure that internal control and supervision is in order.
    • Provide rules and guidelines for online data storage (cloud, email, etc.).
    • Share data and information only on the 'need to know' principle.
    • Make sure that digital transmission is encrypted. Consider multifactor authentication as well.
    • The organisation can impose requirements on suppliers of services/web services with regard to securing vulnerabilities in an application.
    • Ensure that integrity is restored as soon as possible during or after an incident.
    • Ensure that employees are reliable and ethical by sharing rules and guidelines. Train and educate them with respect to integrity and integrity awareness, dealing with social media and dealing with information carriers (USB drives, laptops, digital and paper files).
    • Ensure that employees can report or share integrity issues (anonymously if they prefer).

    The information security policy regarding integrity and reliability sets out the importance organisation attaches to integrity. This includes not only requirements for the reliability of services and software, but also what is expected of employees and who takes which roles in this process. If your organisation does not have a policy, it is not only vulnerable to fraud, embezzlement or theft, but may also be vulnerable to computer hacks or computer viruses. Monitoring and supervision are necessary for the information security cycle. It is important that employees are well informed and are periodically made aware of information security. Security conscious, reliable and well-trained employees are essential for the continuity of your organisation.

    Risks

    • If authorisation systems are not up-to-date and correct, unauthorised persons may be able to access sensitive information.
    • If unsecure software, apps or web applications are used, third parties may gain access to your information.
    • If it is unclear where data is stored and who manages it, third parties may gain access to your information (e.g. software, apps or web applications and online data storage).
    • Permanent and temporary employees who are unaware of information security, or who are unqualified or untrained, pose a risk for integrity and for the organisation.

    Measures

    • Use secure software. The Open Web Application Security Project (OWASP) is a global non-profit organisation aimed at improving the security of software.
    • Ensure that internal control and supervision is in order.
    • Provide rules and guidelines for online data storage (cloud, email, etc.).
    • Share data and information only on the 'need to know' principle.
    • Make sure that digital transmission is encrypted. Consider multifactor authentication as well.
    • The organisation can impose requirements on suppliers of services/web services with regard to securing vulnerabilities in an application.
    • Ensure that integrity is restored as soon as possible during or after an incident.
    • Ensure that employees are reliable and ethical by sharing rules and guidelines. Train and educate them with respect to integrity and integrity awareness, dealing with social media and dealing with information carriers (USB drives, laptops, digital and paper files).
    • Ensure that employees can report or share integrity issues (anonymously if they prefer).

    This question is not applicable

  4. 4

    Informatie_vraag_4_cms_0

    Identify the 'crown jewels' of the organisation (the most sensitive information) that must be protected. Confidentiality or exclusivity means that data can only be accessed by someone who is authorised to do so. By classifying this information and by restricting access to the group for which this information is necessary ('need to know’), a distinction is made in the confidentiality of information. With the help of 'labels', levels of confidentiality can be given to various types of information. This question is about classifying in general. Question five deals specifically with dual use research.

    How is sensitive information classified?

    How is sensitive information classified?

    Information is defined as confidential, if damage occurs when this information becomes known outside the authorised group. Examples of confidential information are data on research with high-risk pathogens, data on storage locations or building management systems, and personal data. In parallel with physical security, a layered structure makes it possible to protect information, for example using classification.

    Risks

    • If information becomes public or ends up with criminals or competitors, negative consequences for the organisation may arise. Examples: financial damage, reputational damage, interrupted continuity of operations, legal consequences, or consequences for national security.
    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • For non-government organizations: various NEN and/or ISO standards that are focused on information security are available. More information: NEN information security. For example for healthcare institutions: NEN 7510 Medical IT - Information security in healthcare describes the classification of sensitive or critical information. For other organizations there are different ISO standards (ISO 27000 series), for example ISO 27001 (ISO 27001: 2013, Information technology - Security techniques - Information security management systems - Requirements).
    • Agencies operating in the Netherlands government sector must comply with the Baseline Informatiebeveiliging Rijksdienst standard.
    • The General Data Protection Regulation is in force within the EU. Organisations that process personal data must be able to demonstrate that they comply with this regulation.
    • In parallel with physical security, it is possible to provide a layered digital structure for information security, based on classification.
    • Consider classifying ongoing research as 'confidential'/'sensitive'/'special' (with respect to patents and intellectual property) and act accordingly.

    Information is defined as confidential, if damage occurs when this information becomes known outside the authorised group. Examples of confidential information are data on research with high-risk pathogens, data on storage locations or building management systems, and personal data. In parallel with physical security, a layered structure makes it possible to protect information, for example using classification. The classification of information is determined based on a risk assessment and is part of the ISMS cycle.

    Risks

    • If information becomes public or ends up with criminals or competitors, negative consequences for the organisation may arise. Examples: financial damage, reputational damage, interrupted continuity of operations, legal consequences, or consequences for national security.
    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • In parallel with physical security, it is possible to provide a layered digital structure for information security, based on classification.
    • Consider classifying ongoing research as 'confidential'/'sensitive'/'special' (with respect to patents and intellectual property) and act accordingly.
    • Provide a list of positions (job titles) within the organisation and their associated competencies. Classify which data is available for which position (see also key area ‘ Personnel Screening’).
    • The General Data Protection Regulation is in force within the EU. Organisations that process personal data must be able to demonstrate that they comply with this regulation.
    • Awareness-raising and training/educating employees about their rights, duties and responsibilities with regard to classified information.

    To prevent misuse, it is important that confidential information is accessible to authorised persons only. Information is defined as confidential, if damage occurs when this information becomes known outside the authorised group. Examples of confidential information are data on research with high-risk pathogens, data on storage locations or building management systems, and personal data. In parallel with physical security, a layered structure makes it possible to protect information, for example by classification. Clear criteria must be developed for classification to prevent subjective application. The classification of information is determined based on a risk assessment and is part of the ISMS cycle.

    Risks

    • If information becomes public or ends up with criminals or competitors, negative consequences for the organisation may arise. Examples: financial damage, reputational damage, interrupted continuity of operations, legal consequences, or consequences for national security.
    • Failure to comply with laws and regulations, including those in the area of data protection.

    Measures

    • In parallel with physical security, it is possible to provide a layered digital structure for information security, based on classification.
    • Consider classifying ongoing research as 'confidential'/'sensitive'/'special' (with respect to patents and intellectual property) and act accordingly.
    • Provide a list of positions (job titles) within the organisation and their associated competencies. Classify which data is available for which position (see also key area ‘ Personnel Screening’).
    • The General Data Protection Regulation is in force within the EU. Organisations that process personal data must be able to demonstrate that they comply with this regulation.
    • Awareness-raising and training/educating employees about their rights, duties and responsibilities with regard to classified information.

    This question is not applicable

  5. 5

    Informatie_vraag_5_cms_0

    Research and information intended for societal benefit can also be used maliciously. This is known as the dual use aspect of research in the life sciences (see also biosecurity pillar of good practice ‘Transport security’, questions three and four). Dual use aspects can arise gradually from research. Therefore, information security and the ISMS cycle are essential to safeguard biosecurity for organisations working with high-risk pathogens.

    How is sensitive information exchanged?

    How is sensitive information exchanged?

    Sharing of sensitive information is unavoidable within, and possibly between organisations. An information security policy describes secure procedures for sharing information, and these procedures are known to the employees involved. How to deal with the dissemination of dual-use research is described in key area ‘Transport security’, especially questions three and four.

    Risks

    • f sensitive information is shared in way that is not secure, it may become accessible to unauthorised persons, with potentially severe consequences.

    Measures

    • Coordinate with the ICT department that suitable information exchange facilities are available (secure network via VPN connection, USB drives with encryption, encrypted transmission of data), and instruct employees involved on how to use them.
    • Consider classifying research as 'confidential' and ensure that employees deal with it accordingly when exchanging information.
    • Be cautious in sharing sensitive information or information about dual-use research.
    • Awareness-raising and training/educating employees about their rights, duties and responsibilities with regard to classified information.

    Sharing of sensitive information is unavoidable within, and possibly between organisations. Even when secure procedures for exchanging sensitive information are available, it is important that corresponding facilities, for example an internal file transfer server, are available as well and known to the employees involved. How to deal with the dissemination of dual-use research is described in key area ‘Transport security’, especially questions three and four.

    Risks

    • If sensitive information is shared in way that is not secure, it may become accessible to unauthorised persons, with potentially severe consequences.

    Measures

    • Coordinate with the ICT department that suitable information exchange facilities are available (secure network via VPN connection, USB drives with encryption, encrypted transmission of data), and instruct employees involved on how to use them.
    • Consider classifying research as 'confidential' and ensure that employees deal with it accordingly when exchanging information.
    • Be cautious in sharing sensitive information or information about dual-use research.
    • Awareness-raising and training/educating employees about their rights, duties and responsibilities with regard to classified information.

    Sharing of sensitive information is unavoidable within, and possibly between organisations. In absence of adequate procedures, sensitive information may not be protected properly. Therefore, a security policy should specify how sensitive information can be shared, both internally and with external organisations. How to deal with the dissemination of dual-use research is described in key area ‘Transport security’, especially questions three and four.

    Risks

    • If sensitive information is shared in way that is not secure, it may become accessible to unauthorised persons, with potentially severe consequences.

    Measures

    • Coordinate with the ICT department that suitable information exchange facilities are available (secure network via VPN connection, USB drives with encryption, encrypted transmission of data), and instruct employees involved on how to use them.
    • Consider classifying research as 'confidential' and ensure that employees deal with it accordingly when exchanging information.
    • Be cautious in sharing sensitive information or information about dual-use research.
    • Awareness-raising and training/educating employees about their rights, duties and responsibilities with regard to classified information.

    This question is not applicable

  6. 6

    Informatie_vraag_6_cms_0

    In all previous questions of this key area, biosecurity awareness and training of employees has been incorporated. Nevertheless how well information is secured, behaviour of employees is very important to ensure availability, integrity and confidentiality within the organization. Careless behaviour can lead to sensitive information being disseminated to third parties unwillingly. Therefore, it is important that employees are aware that dealing with sensitive information securely involves various aspects, such as policy, classification, access and exchange of information. Hence a concluding question about the awareness of employees.

    Are employees aware of how to deal with sensitive information?

    Are employees aware of how to deal with sensitive information?

    It is important that clear procedures are established with regard to dealing with sensitive information. In addition, employees involved must be aware of these procedures as well.

    Risks

    • If employees are not aware of how to handle sensitive information, it is possible that unauthorised persons may gain access to this information, with potentially severe consequences.
    • If employees underestimate the importance of handling sensitive information securely, unauthorised persons may gain access to this information.
    • Permanent and temporary employees who are not aware of information security, or who are not well trained, pose a risk to integrity and to the organization.

    Measures

    • A clear information security policy with procedures regarding reliability, integrity and confidentiality is essential for handling sensitive information.
    • Ensure that new, temporary and permanent employees are informed about their rights and obligations with regard to information security, both at the start of employment and periodically thereafter. Examples of important aspects are compliance to house rules, organisation culture, habits, good practices and absolute prohibitions.
    • Provide clear explanations about handling sensitive information and integrity. Take procedures into consideration regarding employees working at home or flex workers. Are there agreements about aspects such as taking lab journals home and using shared networks?

    It is important that clear procedures are established with regard to dealing with sensitive information. In addition, employees involved must be aware of these procedures as well. Biosecurity awareness of employees involved must be enhanced by providing active instruction and information.

    Risks

    • If employees are not aware of how to handle sensitive information, it is possible that unauthorised persons may gain access to this information, with potentially severe consequences.
    • If employees underestimate the importance of handling sensitive information securely, unauthorised persons may gain access to this information.
    • Permanent and temporary employees who are not aware of information security, or who are not well trained, pose a risk to integrity and to the organization.

    Measures

    • A clear information security policy with procedures regarding reliability, integrity and confidentiality is essential for handling sensitive information.
    • Ensure that new, temporary and permanent employees are informed about their rights and obligations with regard to information security, both at the start of employment and periodically thereafter. Examples of important aspects are compliance to house rules, organisation culture, habits, good practices and absolute prohibitions.
    • Provide clear explanations about handling sensitive information and integrity. Take procedures into consideration regarding employees working at home or flex workers. Are there agreements about aspects such as taking lab journals home and using shared networks?

    It is important that clear procedures are established with regard to dealing with sensitive information. In addition, employees involved must be aware of these procedures as well. Biosecurity awareness of employees involved must be enhanced by providing active instruction and information.

    Risks

    • If employees are not aware of how to handle sensitive information, it is possible that unauthorised persons may gain access to this information, with potentially severe consequences.
    • If employees underestimate the importance of handling sensitive information securely, unauthorised persons may gain access to this information.
    • Permanent and temporary employees who are not aware of information security, or who are not well trained, pose a risk to integrity and to the organization.

    Measures

    • A clear information security policy with procedures regarding reliability, integrity and confidentiality is essential for handling sensitive information.
    • Ensure that new, temporary and permanent employees are informed about their rights and obligations with regard to information security, both at the start of employment and periodically thereafter. Examples of important aspects are compliance to house rules, organisation culture, habits, good practices and absolute prohibitions.
    • Provide clear explanations about handling sensitive information and integrity. Take procedures into consideration regarding employees working at home or flex workers. Are there agreements about aspects such as taking lab journals home and using shared networks?

    This question is not applicable