The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS for example, the most sensitive data is patient record information.

In practice, information security is applied through three cornerstones – confidentiality, integrity and availability.

  • Information must be secured against unauthorised access – confidentiality
  • Information must be safeguarded against unauthorised modification – integrity
  • Information must be accessible to authorised users at times when they require it – availability

eMBED’s Information Security offering covers a range of services ensuring customers have the assurance that the systems and infrastructure they are using will be operated and maintained in a way that manages the risks and threats to the data held on them.

The service offering includes:

  • Information risk management process
  • Development and maintenance of information asset register
  • Monitoring and reporting of risk treatment plans
  • Risk assessment of infrastructure and software in use and where required recommend treatment plans or mitigating controls
  • Advisory role on relevant legal, regulatory and policy compliance
  • Identification and recommendation of training
  • Development of an IS training needs analysis for staff
  • Project support, proposal review and commissioning sign off
  • IT Security expertise
  • Monitoring of infrastructure
  • Analysis of event logging systems highlighting risks, remedial actions and future investment options for secure operation of the infrastructure
  • Policing regulatory compliance
  • Detecting crime or unauthorised use
  • Safeguarding the integrity of the information and information systems
  • Monitoring of asset disposal process ensuring that all disposals are supported by certificates of destruction
  • Threat, alert and update identification, reporting and management of agreed mitigating actions
  • Ownership of audits and penetration testing results ensuring mitigating actions agreed are actioned by teams
  • Advisory role in the approval of content blocking and other device control policies
  • Horizon scanning for new technology and operating model to allow strategic advice to be offered
  • Incident investigation, reporting and monitoring remedial actions
  • Information security and governance policy and procedural writing and assistance