Do you think information security means restrictive practices to safeguard the confidentiality of your company’s crown jewels?
Steve Watkins dispels some common misconceptions …
Why do so many organisations allow ‘security’ to get in the way of doing business?
With the increasing powers of the Information Commissioner’s Office being waived in the face of the latest unfortunate executive who was on watch when the most recent security breach occurred, it is little wonder many organisations are upping their security measures.
One fear for these organisations, and for the directors of organisations looking to prevent a security incident of their own, comes from the restrictions they associate with heightened security – a very real problem that occurs when whoever is responsible for security concentrates on safeguarding the confidentiality of your information at the expense of everything else.
The true information security professional will consider the implications of their recommendations for maintaining the availability and integrity of the information they are trying to protect, as well as safeguarding its confidentiality.
These three attributes, confidentiality, integrity and availability are recognised as being the key values of information. Best practice in the relevant international standard suggests a risk assessment should be undertaken focusing on the safeguarding of such information assets. It goes on to recommend that the selection and balance of security controls is prioritised in the light of the risk assessment.
By considering the consequences of the security controls that are proposed, including the effect they have on the ‘way we do things here’, as well as the benefits of safeguarding the confidentiality, integrity and availability of the information and processes you are seeking to protect, you can ensure the correct balance of controls is achieved.
This sounds quite reasonable and achievable, but when you factor in the number of issues that need to be considered, it becomes slightly more of a challenge.
As the well publicised PA Consulting/prisoner data loss saga demonstrated, it is not just your organisation’s internal practices you need to be concerned with. Mistakes and errors in data handling within your supply chain should also be of concern.
No matter who is directly responsible for the breach, if it is your organisation that is perceived as being at fault, and is ultimately the data owner, then it is your organisation that should be determining the appropriate safeguards your contractors deploy, and then ensuring they are in place.
Once this degree of understanding has been reached, most owner-directors want to know what the solution looks like, and how they can not only benefit from good practice themselves, but demonstrate this to their clients and stakeholders. This is where the international best practice specification, ISO/IEC 27001:2005 and the related accredited certification scheme comes in, providing a means for organisations to demonstrate that their information security arrangements are robust.
The process of achieving accredited certification need not be expensive, and yet, unlike the early versions of the ISO9000 Quality Management System Standard, it does give an indication of the degree of security that the certified organisation has adopted.
Surely it is worth finding out a little more about the benefits ISO27001 has to offer? There really is no big secret – simply web search on ISO27001 and see what you can find.
Steve Watkins is Director, Training & Consultancy at IT Governance Ltd (www.itgovernance.co.uk), who provide specialist services and solutions for IT governance, risk management, compliance and information security.