Information Securityby Andy Taylor
- Isn’t information security something we should leave to a specialist to sort out?
- What is the difference between information and data?
- What are the risks to information security?
- What is a BIA?
- So how should we set about managing information and its security?
- Do I need both a risk assessment and a BIA?
1. Isn’t information security something we should leave to a specialist to sort out?
The whole information security issue is a business issue, first and foremost. The technical side of security is very much the supporting side, to be used as and when necessary. It is very important, therefore, that the initial stages of assessing the critical information, and the risks to it, are undertaken by the business with a full awareness of how the organisation operates, what is critical to it and the consequential impacts of information loss or corruption.
2. What is the difference between information and data?
A distinction is often drawn between information and data. Usually the distinction is that data is unprocessed – the raw facts and figures gathered for some reason – whereas information is processed in some way. Perhaps, for example, information is composed of different data records (such as age, address, marital status and bank account details) relating to a particular person. For the purposes of this topic, however, no such distinction will be drawn and information will be used throughout to mean both information and data.
3. What are the risks to information security?
Some risks may be very specific to your business. To prompt thoughts about what those risks might be, it may help if you use the STEEPLE mnemonic – Societal, Technological, Environmental (physical), Environmental (business), Political, Legal and Economic.
4. What is a BIA?
BIA stands for Business Impact Assessment. Having identified the risks, the options available for dealing with each risk and the cost of those options, this is where you decide whether or not it is worth spending the money on those options. If the impact on your business caused by the risk materialising would be minimal or at any rate less than the cost of preventing it, then it is probably a risk you can simply accept.
5. So how should we set about managing information and its security?
The process is essentially cyclic in nature and there are six main steps in the cycle, which is a continuous process. It is not enough to do it once and assume that will be adequate.
- Identify the information assets held by the organisation.
- Determine the vulnerabilities, threats and hence risks to those information assets.
- Calculate the business impact of those risks occurring.
- Consider the possible options for the treatment of those risks.
- Implement the best possible options for the treatment of those risks.
- Monitor the information assets, risks, impacts and treatments and refresh/review as necessary.
6. Do I need both a risk assessment and a BIA?
Yes! This allows your always-limited resources to be targeted at those risks with the most serious business impacts. It also gives confidence to senior management, shareholders, customers and others likely to be affected by a major incident that the organisation is doing all that it can to identify and address the potential problems. Without either step, there is a real likelihood that key risks will be missed or that effort and money could be wasted on dealing with those risks which are perhaps easier to manage, while others, with greater business impact, are ignored.