Information security requires measures to be taken with regard to physical security, human security and technical security, while maintaining the confidentiality, integrity and availability of information assets.
Confidentiality.
Ensuring that only those authorised to access information have access to information assets.
- Bind the information with a company IP and only allow access from there.
- Provide a login ID/password to allow access to the server or site management screen.
- If FTP connections are allowed, ensure confidentiality by only allowing access from specific IP addresses.
- Set IP address restrictions on the administration screen.
Integrity
Ensure that information is not destroyed, altered or erased.
- Encrypt communications on the network. (SSL)
- The latest database is consulted each time it is accessed, and information can be operated without missing or faulty data, even when operated by several people.
- Backups are carried out according to the frequency of updates.
- Access logs are obtained to manage who operated what, when and by whom.
Availability
Ensure that persons who are able to access information are able to do so without interruption when required.
- By setting up authorisation groups, information availability is achieved through access rights, so that the necessary information can be accessed by the necessary people.
- Load balancing using load balancers, etc.
Physical security
Physical measures regarding the management of communication lines and users’ computers and other equipment, e.g. in server rooms and information systems rooms.
- Prevention of theft and pilferage
- Encryption of hard disks, e.g.
- Wire-lock computers and do not take them outside. (Freelancers are likely to find it difficult, so do not use free wifi, apply shoulder hacking measures, use only from home, etc.)
- The user’s login password should be a mixture of alphanumeric characters of at least 12 characters.
- Confidential information such as passwords should not be stored on paper, etc., but should be managed in an environment that can only be accessed by the user.
Personnel Security
Establish the matters to be respected by employers with regard to information security, and provide adequate education and awareness-raising.
- Establish rules, such as procedure manuals.
- Implementation of training on information management
- Regular password changes
- Enforcement of rules on taking information out of the country
Technical security
Technical measures such as management of computers and other equipment, access control, anti-malware and anti-access measures.
- Enable firewalls and install paid antivirus software on computers accessing the site.
- Always apply the latest updates to the PCs and browsers accessing the site.
- Use Google Drive to exchange information, but limit the number of users who can access each folder and file.
- Set up two-stage authentication for all Google accounts used.
- Block the source IP address in the event of a large number of login attempts in a short period of time, such as brute-force attacks and list attacks.
- In order to prevent zero-die attacks, when important security patches are issued, they are verified and responded to as soon as possible.
Etc
Technically, a wide range of countermeasures such as SQL injection and XSS are necessary.
Information leaks are of course an external attack, but there are also many internal threats such as human error.
Technology is convenient, but IT literacy is also required on the user side.
