Securing information has become a strategic differentiator and, in some cases, mandatory. Let's explore.
Why would I need Information Security?
-
Uninterrupted functioning of enterprise:
Ransomware attacks, hacking, data thefts, trojan attacks, and cyber espionage have become terms too familiar to be ignored. Ensuring data safety is now considered a strategic objective to ensure all the information Assets are secured yet available to the bonafide user on time. Information security is now needed to make sure that an organization can function
-
Legal compliance:
General Data Protection Regulation (GDPR) has been mandated by the EU, while countries like Australia & Malaysia have their versions. The USA does not have a single federal general data protection regulation. Instead, it has taken an industry-specific approach to accommodate industry-specific complexities, regulations, & use cases. Health Insurance Portability & Accountability Act (HIPAA) deals with health-related information. Children's Online Protection Act (COPA) mandates data regulation for children under 13. In addition, some of the states also have come up with state-specific laws, e.g., New York's SHIELD Act, California Customer Privacy Act (CCPA). Applicability of these to an organization is by geographical locations where data passes through different stages of its lifecycle
-
Public confidence:
With SOX Audit, Information security influences what gets conveyed to the street. An organization with insufficient measures to ensure information security would be significantly impacted in terms of Public confidence, often translating into an adverse impact on the share price
What is in the scope?
Data goes through various stages in its life cycle. Information security covers all the states data goes through -
- Creation of data: Includes collection
- Storage: Includes soft copies as well as printed copies
- Communication: In transit data, i.e., while communication
- Usage: Entails any processing being done with the data
- Maintenance: Includes retention and archiving
- Deposition: Aimed at defensible destruction
I want to secure information. Where do I start?
With stakes so high, ensuring information security becomes imperative. The good thing is, doing this is not rocket science but a step-by-step process. Four steps for effectively securing information are as follows:
- Assess current information security landscape
- Design an information security framework applicable to the organization
- Implementation
- Periodic assessment
Are there any generally accepted principles to guide?
An information security framework usually consists of Processes, Policies and Procedures applied to an organization. It aims to provide a secure environment for the organization to operate. The focus is CIA triad:
- Confidentiality - Information is available only to authorized persons for access
- Integrity - The information is complete and accurate
- Availability - Timely and reliable access to information
There are additional guidelines:
- Non-Repudiation - Cannot deny access to information sharing by the sender or receiver
- Authenticity - No change has occurred to the information
- Privacy - Information is available as per privacy guidelines
- Safety - Ensure physical protection for the environment
- Due Diligence - Exercise it at each step of the information life cycle
In subsequent blogs, we will be discussing these guiding principles in detail, going over what each of them entails and the considerations that an organization needs to keep in view while working on improving its information security.