Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.
Information security is concerned with ensuring the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms – in relation to the risks or threats posed to that data ‘asset’.
So in English what does this mean to specific businesses and how can they make sure that they are maintaining the security of their information ‘assets’?
This is not a simple ‘one answer fits all’ question but one thing is sure, the key to successful information security is understanding; and in amongst a discipline that seems to epitomise ‘management speak’ through methodologies, consultants and detailed and mildly alarming ‘standards’ it is important to keep life simple.
Everything that Information Security is about, is governed by one single thing – RISK (I can hear the groans already). With this in mind, whatever your approach, it must do 3 things:
- Assess Risk
- Control Risk
- Assess Risk
You will see first and foremost that this calls for a continuous approach or system, not for a ‘one off’ risk assessment that will ensure security forever. The risks, like your business, change continuously and so must your approach.
Assess. However you set about it you must identify your ‘information assets’ and assess the risk to each in relation to confidentiality, integrity and availability. ‘Risk’ should be scored in some fashion born of assessing the impact of such an event occurring against the likelihood that such an event would occur.
Control. The Risk Assessment you have now conducted should provide you with an idea of where the greatest vulnerabilities to your organisation exist and in order to best protect your information assets it is critical to introduce controls that will reduce either (or both):
- the impact of such an event occurring
- the likelihood that such an event would occur
A simple example of such a control would be the introduction and implementation of an Information Security Policy. Depending on the complexity of the assets and the organisation this overarching policy may be broken down into more specific controls but all should be related to the assessed vulnerabilities. Further examples may be:
- Introducing Load Balancers in response to an assessed risk to Business Continuity based on the likelihood of high traffic loads ‘hitting’ a website and your solution failing due to such traffic levels.
- Partnering with a hosting provider with adequate physical security provisions in their datacentres based on the sensitive nature (and risk to business integrity) of the information they will store on your behalf.
- Selecting to employ a cross-datacentre failover solution in response to the assessed impact that a service affecting disaster would have on your business integrity and therefore, enabling Disaster Recovery via a Business Continuity Solution.
Assess. Once committed to the security of your information assets it must become part of everything that you do – you must integrate it into the way that you operate, only then can you insure constant security of your information assets; the situation and therefore, the threats, will constantly change and to this end you must change with them.
Organisations and businesses must be risk aware, not risk averse and this is born of understanding what presents a risk or vulnerability to your organisation. To this end, I would suggest that no-one knows your business like you and in order to keep information security effective, simple and cost effective it is a waste of time, effort and money to employ individuals external to your business to instigate an information security system.
They remain your information assets and you must understand, assess, control and coordinate their security – no one individual or organisation can do all of this for you in order to provide complete information security.