Eleanor Stanley is Information Security Manager at Eagle Genomics. She manages and oversees the processes which ensure data security at all levels of the organisation, from handling customer data, to the protection of staff details. She speaks to us about information security in the life sciences landscape and her role at Eagle Genomics.
Q: What is your role at Eagle Genomics?
I maintain compliance with our certification for ISO/IEC 27001:2013, a globally recognised standard which demonstrates effective management of security risks to information held by an organisation. It’s all about the documentation of policies and procedures, maintaining those policies (which is the biggest challenge) and demonstrating that we actively follow them. When Eagle Genomics is audited for information security I have to make sure all our documentation reflects best practice, due diligence and shows that we are following our own processes.
The beauty of working in information security is that you get to talk to everybody! I have to approach everyone, from the Chief Executive Officer to our newest bioinformatics apprentice, to make sure they understand our information security procedures. These processes are not only crucial for looking after customer data but also maintaining the security of our internal organisational data, from marketing data to staff payroll.
As Information Security Manager I also carry out disaster scenario testing where I ask individual members of staff situational questions and record their responses. Carrying out these tests provides me with outcomes which can be actioned to enable continuous improvement of our data security.
In some respects my day is making sure that nothing gets forgotten as information security has a broad remit across the entire organisation. There are lots of moving parts to keep track of!
Q: Why is information security important and what role does it play in enabling the work of Eagle Genomics?
Information security preserves the confidentiality, integrity and availability of the information assets of Eagle Genomics. In terms of integrity this means we ensure the data we use is never accidently lost, destroyed or edited and is always available in its complete form. With regards to availability we make sure that, when providing a service to a customer, the appropriate data is always accessible to authorised users. Additionally, access control is vital to making sure the right people can see the right data and that no inappropriate disclosure is taking place.
A big part of information security is communication. You can’t sit in isolation, creating and editing policies and expecting everyone to read and comply with them. You have to effectively communicate them out and think about how you can ensure that staff engage with them, particularly as the company continues to scale and get larger. Creating personal investment in information security is essential for nurturing a positive company culture.
By having ISO/IEC 27001:2013 certification, Eagle Genomics is actively demonstrating that we can effectively protect and manage customer data. We are regularly audited against the certification; we aren’t just reviewed every three years, there is a continuous scrutiny to make sure that we aren’t slipping up. During an audit our information security controls (the criteria against which we access our data security) are reviewed by an auditor who reads through and scrutinises our documentation word-by-word, line-by-line, viewing external links and checking the versioning and editing history of the documentation - it’s a very thorough process.
As well as having the appropriate controls in place, a core activity of an Information Security Management System is risk assessment to identify and evaluate any emerging weaknesses in our processes. We carry out regular risk assessments to evaluate potential threats and vulnerabilities, evaluate their likelihood and impact and assess if our risk treatment and mitigation is effectively implemented. It definitely keeps us on our toes!
Q: Why is it important to use international standards?
The ISO/IEC 27001:2013 certification is about having an effective management system in place, it allows you to define roles, responsibilities and processes to continuously maintain and improve that system both nationally and internationally.
Working within the EU means we are always GDPR compliant, alongside our EU clients who are bound by the same data privacy principles. If we’re working with a client in the US, we require them to be compliant with the Privacy Shield, which ensures data is protected between the UK and the US.
Q: Which mechanisms are used to keep data secure at Eagle Genomics?
That’s a very complex question as there are so many different mechanisms in place, so I’ll just focus on a few of the big ones here! One of the most important considerations is incident management and business continuity plans. If a member of staff identifies that data is lost, this raises an incident. A root cause then needs to be identified in response to the incident. How did it happen? Which control was weakened? Recovery from an incident and keeping a record of what was done in order to achieve an effective recovery is essential to return to business as usual. For Eagle Genomics, restoring data from backups is a big part of this.
Encryption is another key area of data security. When data moves from one place to another we need to make sure that data is encrypted in transit and that when it’s on a device, such as a laptop, that it’s also encrypted at rest.
Risk management is also a very important part of it all; identifying the threat landscape and the attack environment we are operating in. At Eagle Genomics we are always assessing and reassessing our baseline risk level in order to establish what constitutes our ‘business as usual’ environment and to efficiently address any potential risks.Q: How does Eagle Genomics ensure that information security is suitable for all customers (scalability, custom needs etc.)?
In terms of scalability and capacity management, our use of a cloud-based system means we can safely and dynamically spin up or spin down data-storage or pipeline runs for customers on an on-demand basis.
When it comes to working with multiple customers we have tight access control to our e[datascientist] platform to always ensure the right people have the correct access to the right data at the appropriate level.
Q: What is your favourite part of your role?
I think user training is the most rewarding and fun part of my role. I train each new member of staff and continue that process throughout the life cycle of their role as it changes over time. Everyone arrives with their own understanding of information security, which can vary from no prior knowledge to experience of highly regulated companies.
Q: Tell us one thing we couldn’t find out about you from Google
I have the privilege of volunteering for a charity called Cherished Gowns UK. The charity provides items of clothing (a gown, hat, booties, blanket and a cloth nappy) to families of babies who are stillborn, miscarried or pass away shortly after birth, so they can be dressed for their funeral. All of the items provided are lovingly made by volunteers and the gowns are made from generously donated wedding dresses. I sew, knit and crochet, which keeps me busy when I have a quiet weekend at home and keeps my hands busy when sitting on a train travelling to our office in London’s Knowledge Quarter!