CogniDox and Information Security Management: A Comprehensive Guide

 

CogniDox and information scurity management

Last week we published a white paper entitled "CogniDox and Information Security Management" to our customer support site. It was written in response to questions received from our customers. To answer their questions, it had to be specific about what CogniDox does for information security. But we also found it had to be educational in a broader sense. So, we decided to publish it on our website to make it available to a wider audience.

You can find it in the Library section (under Documents) on our website or you can open/save the PDF file directly from this link.

Most companies are still unsure about the risk to their business associated with cyber attacks. They may read that cyber-crime costs the UK economy an estimated £19bn to £27bn every year. They see stories on one hand about lost or stolen USB drives or company laptops containing confidential data; and about sophisticated attacks by highly organised hacker gangs on the other. It can be hard to relate this wide spectrum of cyber-risk to the everyday operations of a high-tech business.

Some (wrongly) believe cyber-attacks are only a problem for large financial institutions, military, government, or mega-corporations. Verizon publishes an annual report called the Data Breach Investigations Report (DBIR). In the 2013 edition, it found 62% of data breaches happened to companies with fewer than 100 employees. It found that 20% of network intrusions involved manufacturing, transportation, and utility companies - the common motivation for these attacks is stealing intellectual property (IP).

One security firm which examines the so-called 'Dark Web' for evidence, found over 100 million stolen user IDs and passwords in one month of analysis. A quick scan of our company website server logs reveals 6 suspect IP addresses probing and 32 rogue attempts to use SSH in just a one-week period. It takes just seconds for automatic tools to scan your website looking for known vulnerabilities and weakly protected data. 86% of all websites investigated during 2012 had at least one serious vulnerability. Using these, an attacker could take control over a website, and have access to user accounts and sensitive data.

What can we do about it?

You could try to lock down data storage even further, but that can deprive authorised users of legitimate data availability. With the trend among employees to 'bring your own device' (BYOD) still on the rise, it also looks like a forlorn hope. If you make it hard to access information in the official repository; it increases the odds that it is 'temporarily' stored in Dropbox, or takes to the 'SneakerNet' via a USB flash drive.

You could try to improve your security training and awareness. The Guardian newspaper recently reported a survey of media professionals in which 70% said that they had received no training against cyber attacks. But, some experts believe that training is a waste of time.

You can try to spot intrusion attempts at the earliest opportunity through network intrusion detection software, so that 'mean time to detection' is minimised. The problem is that it only protects against attacks to your network. Other types of vulnerabilities are still a threat.

The answer is that it requires a number of concerted actions to improve security. It is a spectrum of risk, and different security controls apply to different parts.

The white paper argues that the ISO/IEC 27001 information security standard currently offers the best framework for cyber security. It reviews ways for hardening IT security on Linux-based systems, and shows how applications such as CogniDox can use (and depend on) this functionality. That still leaves a major gap in solving the problems of Information Security. The white paper therefore concludes by demonstrating how security-related features in CogniDox can address these problems.

The value of DMS for Product Development

 

Tags: Compliance, Document Management and Control

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

Why Not Use Q-Pulse as Your Med Tech eQMS?

Q-Pulse is a quality management system from Ideagen that helps organisations manage compliance, ...

What Is EU Annex 11? How Does It Support GMP in Life Sciences?

EU Annex 11 provides guidelines for the use of computerised systems in ensuring Good Manufacturing ...

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

Adventures in quality management: how document control became sexy

In the past, document management was an unglamorous business. Not every company was digitised, and ...

Understanding Document Management vs Document Control

For some companies simply managing their documentation is enough to support their business goals. ...

Why not use Sharepoint as a Document Management System?

What’s wrong with SharePoint, anyway? Why shouldn’t it be used as a document management system ...