A basic understanding of information security and compliance are fundamental to the success of thousands of organizations. Unfortunately, the two terms are far too often misunderstood and misused. What if I told you that information security, if you understand it, can be used by your organization as a competitive advantage? It’s true, but before we get there, we will need to gain an understanding of information security and compliance.
We will start our CEO Information Security Training Series out with the basics. Basic (and accurate) understanding of information security and compliance are critical to understanding how they can positively or negatively affect our respective businesses.
In this article I will provide:
- Workable definitions of information security and compliance
- Tackle common misconceptions about information security head on
- Give you ten information security principles to live (or die) by
What better place to start with a definition of compliance than with the dictionary?
com-pli-ance [kuh m – plahy – uh ns]
1. the act of conforming, acquiescing, or yielding
2. a tendency to yield readily to others, especially in a weak and subservient way
3. conformity; accordance: in compliance with orders.
4. cooperation or obedience: Compliance with the law is expected of all.
I’m a competitive guy. I try to lead my organization with courage and boldness. Words like “conforming”, “acquiescing”, and “yielding” are not words that I want to be associated with.
From a security standpoint, what is compliance? Most security-related compliance comes through legislative or administrative/regulatory law. Obviously, it is important for us to obey the law! Laws include HIPAA/HITECH, GLBA, FISMA and too many others to mention. Information security-related laws are written to apply to a large number of similar organizations and are enforced by regulators and auditors. In order for a law or mandate to apply to a large number of organizations, it has to be written with some vagueness and interpreted on a case-by-case basis (at least until adequate precedent is set).
Information security-related compliance is doing what your last auditor or regulator told you to do, based upon their interpretation of the law as it applies to you.
In other words, compliance is like doing what you are told to do by someone who does not know or care about what’s best for you, based upon their unqualified interpretation of a vague law.
Letter of the law vs. intent of the law vs. interpretation of the law
The letter of the law, pick just about any information security-related law, is fairly easy to comply with due to the law’s inherent vagueness. The problems start with interpretation of the intent. In most cases, the intent of information security-related law is to reduce the risk of unauthorized disclosure, alteration and destruction of sensitive (or regulated) information.
Interpretation is left to government agencies and regulators (auditors). If the intent of the law is to reduce risk, who knows better about risk management in my organization? Me or a regulator? I hope you answered me! If you are not in a position to answer this for yourself, then this series of articles was written specifically for you.
At the end of the day, if I can demonstrate that I manage risk well then I can also demonstrate that I am compliant. All this without being told what to do from an outside entity that doesn’t know what’s best for my company.
Information security is not anything new. In fact, information security has been around ever since we have had information to protect. Today if you ask ten people to define information security, you will probably get ten different answers! How can corporate leaders like you and me make strategic decisions about something that we cannot define? We need to start with a definition. Ready?
Information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical and technical controls.
One action; managing risks.
Three characteristics of information; confidentiality, integrity, and availability.
Three types of controls; administrative, physical, and technical.
In the simplest of terms, risk is the likelihood of something bad happening combined with the impact of the bad thing happening.
Confidentiality is keeping information secret; only allowing authorized disclosure. The opposite of confidentiality is disclosure.
Integrity is ensuring that information is accurate. Accurate information is critical to us in making sound decisions. The opposite of integrity is (unauthorized) alteration.
Information must be available when it’s needed. The opposite of availability is destruction.
These controls are used to manage the organization’s information security efforts and to address the people part of security. These types of controls include things like policies, standards, procedures, and training. Not exciting, but absolutely critical to good information security management.
Typically the controls that you can touch. These controls are designed to manage physical access to information, and include things like door locks, alarm systems and camera surveillance. It really doesn’t matter how good your antivirus software is, if someone can easily steal your server.
This is the IT part of security. Notice how the IT part of security is only one part of security and not all parts of security? Technical controls are what most people think of when they think of information security. These controls include things like firewalls, antivirus software, passwords and permissions.
So there we have it. This is our workable definition of information security.
Ten Security Principles To Live (or Die) By
Over the years information security has gained a bad rap for a number of reasons; poor definition and poor application of security are two primary reasons. Here are ten information security principles that should help us put our definition into context.
#1 – A business is in business to make money
Seems obvious, doesn’t it? How often does information security get in the way of making money? If information security gets in the way of our business making money, then we’re doing it wrong. Information security must align with business objectives. This is almost impossible for corporate leaders unless we take an active role.
#2 – Information Security is a business issue
Information security is NOT an IT issue. The technical part of information security is complementary to administrative and physical security, not exclusive.
#3 – Information Security is fun
Who actually says or thinks this is true?! It really comes down to attitude. People do not want to do anything that they see as boring or painful. If we ask someone to do something that is important to our mutual success, we should make it as enjoyable as possible.
#4 – People are the biggest risk
This has always been and will always be true. Most organizations overspend on security technology at the expense of neglecting the people part of security. Your greatest risk is probably not technology-related.
#5 – “Compliant” and “secure” are different
We shouldn’t confuse the two.
#6 – There is no common sense in Information Security
If there were, we would have better information security. This point re-emphasizes the point that people are our greatest risk.
#7 – “Secure” is relative
As you recall from our definition earlier, security is managing risks not eliminating them. We cannot reduce our risk to zero. The relativeness of security warrants ongoing measurements and comparisons.
#8 – Information Security should drive business
Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.
#9 – Information Security is not one size fits all
No two organizations are exactly alike. It makes sense to copy certain things that work for other organizations, but if we expect something to work we will have to make it our own.
#10 – There is no “easy button”
So stop looking for one.
We now know that compliance and information security are two different terms and we know why. The relationship between the two is compliance (by itself) does not mean that you are managing security well; however, managing security well will mean compliance.
Getting information security right by leveraging a good definition and applying sound principles will save your organization thousands (maybe millions) of dollars. It is not something that can be entirely delegated to others because ultimate success or failure rests with us, the leaders of our respective organizations. The buck stops with us.
This article focused on the “what” about information security. Our next article (The Top 10 Things Every CEO Needs to Do) will focus on the “how” by giving us practical advice and ten fundamental information security practices that should be followed in every organization.