TELECOMS: Performance Telecom, Proving your data security is as good as it gets
Proving your data security is as good as it gets
Are you an expanding SME company starting to attract attention from big players drawn to your innovative product range? St Albans-based Performance Telecom had found a market niche developing apps for call centres. Yet it was becoming all too aware of just how much personal data such call centres handle . . .
Against a background of stringent new EU & UK personal data protection laws (GDPR & The Data Protection Act 2018) that are forcing all businesses worldwide to reassess and upgrade data their security measures, the company’s next step was a no brainer – to demonstrate to potential new clients that its own data protection measures were as good as they get.
Assign-IT’s brief: Prepare and certify against the IASME standard in information security that includes compliance with the EU’s General Data Protection Regulation (GDPR)
Meeting up with IT services company Assign-IT at a networking breakfast convinced the business to go down the IASME information security and cyber security certification route. IASME (Information Assurance for Small to Medium-sized Enterprises) is a government-recognised national standard in information security management for which Assign-IT is a certification body and expert in advising companies how to prepare for certification. Once a company is certified, continuous annual reassessment follows along with full re-certification every three years. Easier to achieve for most SME’s compared to the worldwide ISO 27001 information security standard.
Most importantly, the IASME standard covers compliance with all the EU’s GDPR (General Data Protection Regulation) requirements that have now become law. Additionally it incorporates the UK entry level Cyber Essentials (also certifiable by Assign-IT) that is a national cybersecurity standard designed to protect a company’s IT infrastructure and the information within it against cyber attack.
“Our main aim was to meet some official security standards,” says Ben Checketts, Performance Telecom’s head of operations. “We needed and wanted to do something to make us look professional in the marketplace.”
‘Assign taught us the basics of how domains work’
So how did Assign-IT approach an SME of 15 staff? “There were around 10 meetings with them over several months,” says Ben. “It tended to be me and a couple of colleagues doing the bulk of the work on our side; the rest of the team weren’t really affected, As a small company we sometimes found it difficult to dedicate the resources but Assign-IT helped us through.
“They spent much of the time teaching us the basics of how domains work. They were very knowledgable in terms of requirements and therefore worked with us to find solutions, drawing up policies, templates, procedures and practices. They made us aware of really impractical things we were doing, and that if we continued to do things in a certain way we could be compromised.
“Assign-IT particularly helped with our risk assessment and getting the proper processes and procedures in place across our whole business. They helped us on asset registration by setting up an asset register, and in continuity management which I saw as a big plus in their work. As an organisation we did not have everything in one place, it was all scattered, so working with them helped us realise the full scope of our business.”
‘Assign-IT really went above and beyond’
Ben singled out Assign-IT’s collaborative approach. “I remember sitting down with them and saying we as a company were struggling to meet deadlines for certification before we were due to give client presentations – then they came in next week and said we’ll work with you on that. They really went above and beyond when they helped us decommission a domain server and replace it with another to meet the certification standards.”
Operations manager, Tom Carter says: “Assign-IT made a real difference when they spent a lot of time teaching us the basics of how domains work, giving us pointers using best practice principles, and saying why certain approaches weren’t working in key areas. They helped implement the migration to a new domain controller which required expertise I didn’t have.
“The domain controller is the single most important computer on the network and allows computers to speak to each other – it allows users access via passwords to a number of computer resources. Putting a new one in is a delicate task because there’s only one and it’s very, very tricky to set up. They saved us a lot of time – plus the cost of getting someone else in to do it!”
What happens if the offices burn down?
Any surprises? “It was realising just how many elements of the business there are,” says Ben. “So many things came up – there was the changeover to risk management and risk assessment … dealing with business continuity (eg what happens if the offices burnt down), getting policies in place and raising staff awareness so everyone knows what is going on.”
In fact, teaching played a key role in guiding Performance Telecom towards gaining and then maintaining IASME certification. “To operate on the privacy by design principle is one of the key objectives of GDPR, look what happened with Facebook and Cambridge Analytica,” explains Assign-IT’s commercial director, Dave Privett. “So, the first thing they need to do is a data protection impact assessment that we’ve now taught them how to do themselves and document. It’s a mini risk assessment against the rights and freedoms of the individual for anything they plan to do with that person’s information, whether it’s enhancements to existing products or creating new services.
‘We’d certainly go back to them – we value what they say’
They can talk to potential clients about their data protection and information security policies and emphasise the need to show to data protection authorities that our clients themselves have carried out the necessary due diligence if a breach ever happens.’
Final verdict? “We do have our own in-house expertise so we would not need to see Assign-IT every month,” says Ben. “But if we have a specific technical requirement that might need new infrastructure or there are further attached GDPR requirements, we’d certainly go back to them – we value what they say.”