Non IT Information

Paper, data storage devices, teleconferencing,
verbal conversations and more

The Non-Electronic Information Security section is a critical piece of the Information Security Vulnerabilities Assessment. In today's world of increasing cyber security threats, how a company manages other forms of information is often less scrutinized. Not only will this section of the assessment examine the client's information security program to ID where specific vulnerabilities exist, it will provide the assessment team with a view into how the company is committed to securing information on a day-to-day basis through policy, practice and oversight.

A detailed review will be conducted to identify what information is collected via paper, data storage devices, or other non-electronic means from clients, partners and stakeholders.

Following this, focus will be centred on examining the policies and practices in place to securely process this information.

Finally, attention will also be paid to how the organization coordinates sensitive meetings, teleconferences and other verbal conversations. This information will be collected through interviews with key staff / mgmt., reviewing company practices and other observational methods.

Some key objectives include:

Primary

  1. Identify specific vulnerabilities pertaining to how the organization processes non-electronic information?
  2. Assess the client's commitment to ensuring that strong practices regarding the securing of non-electronic information on a day-to-day basis are in place, effective, and complied with?
  3. Examine how the client manages the life cycle of non-electronic information in its possession?

Secondary

  1. What internal policies and procedures exist to provide oversight on the handling of non-electronic information?
  2. What specific controls are in place to monitor information management?
  3. Does the client have an effective information classification system in place. If so, what does it consist of?
  4. What external policy, legislative or regulatory controls drive the approach to handling non-electronic information?
  5. How well are the concepts of "Ownership", "Least-Privilege" and "Need to Know" in place?
  6. How effective does the company follow suitable storage, archiving and disposal measures?
  7. What guides appropriate measures for information sharing and transmission?
  8. How does the client approach security of information relating to meetings and travel?
  9. Does the client have a Privacy Protection Program and place and, if so, how does it link to the IS program?

Stakeholders we work with from your organization:

It is important to the data gathering process that the appropriate management and other accountable representatives attend the data gathering meetings to ensure the required information to support an effective analysis is collected. It is recognized that certain client representatives may have multiple responsibilities and terminology for positions may vary, therefore, it is critical to make prior preparations with the Project Lead during the Introduction meeting to ensure representatives with the following accountably attend this meeting:

  • Project Lead
  • Executive Responsible for Information and/or Corporate Security
  • Chief Security Officer or Manager
  • Physical Security Officers
  • Representative responsible for Privacy
  • Executive Responsible for Corporate Services
  • Policy Development
  • Sample of managers
  • Sample of staff in administrative positions
Unite Interactive