Information security can be confusing to some people; OK, maybe most people. Why is information security confusing? Maybe it’s because we miss some of the basics.
The basics of information security could be summed up by explaining the “What, Why, Who, When, and Where” of information security.
The Five Ws of Information Security are:
- What is Information Security?
- Why do you need Information Security?
- Who is responsible for Information Security?
- When is the right time to address Information Security?
- Where does Information Security apply?
- We could also include the sixth W, which is actually and “H” for How. The How is why FRSecure exists.
What is Information Security?
Fundamentally, information security is the application of Administrative, Physical, and Technical controls in an effort to protect the Confidentiality, Integrity, and/or Availability of information.
In order for us to understand this statement, we have to gain an understanding of some well-established information security concepts; Administrative Control, Physical Control, Technical Control, Confidentiality, Integrity, and Availability. We’ll start with the controls.
– Addresses the human factors of information security. Typically administrative controls come in the form of management directives, policies, guidelines, standards, and/or procedures. Good examples of administrative controls are:
Information security policies
Training and awareness programs
Business continuity and/or disaster recovery plans
Hiring and termination procedures
– Addresses the physical factors of information security. Physical controls are typically the easiest type of control for people to relate to. Physical controls can usually be touched and/or seen. They control physical access to information. Good examples of physical controls are:
Building alarm systems
– Addresses the technical factors of information security. Technical controls use technology to control access. Much of the information we use every day cannot be touched, and often times the control cannot be either. Good examples of technical controls are:
Access control lists
Why do you need Information Security?
This is sometimes tough to answer because the answer seems obvious. No? Read on.
As we know from the previous section, information security is all about protecting the confidentiality, integrity and availability of information. Answer these questions:
Do you have information that needs to be kept confidential (secret)?
Do you have information that needs to be accurate?
Do you have information that must be available when you need it?
If you answered yes to any of these questions, then you have a need for information security.
We need information security to reduce the risk of unauthorized information disclosure, modification, and destruction. We need information security to reduce risk to a level that is acceptable to the business (management). We need information security to improve the way we do business.
Who is responsible for Information Security?
This is an easy one. Everyone is responsible for information security! A better question might be “Who is responsible for what?”
First off, information security must start at the top. The “top” is senior management and the “start” is commitment. Senior management must make a commitment to information security in order for information security to be effective. This can’t be stressed enough. Senior management’s commitment to information security needs to be communicated and understood by all company personnel and third-party partners.
The communicated commitment often comes in the form of policy. Senior management demonstrates the commitment by being actively involved in the information security strategy, risk acceptance, and budget approval among other things.
Without senior management commitment, information security is a wasted effort.
Business Unit Leaders
Keep in mind that a business is in business to make money. Making money is the primary objective, and protecting the information that drives the business is a secondary (and supporting) objective. Information security personnel need to understand how the business uses information. Failure to do so can lead to ineffective controls and process obstruction.
Arguably, nobody knows how information is used to fulfill business objectives more than employees. While it’s not practical to incorporate every employee’s opinion into an information security program, it is practical to seek the opinions of the people who represent every employee. Establish an information security steering committee comprised of business unit leaders. Business unit leaders must see to it that information security permeates through their respective organizations within the company.
All employees are responsible for understanding and complying with all information security policies and supporting documentation (guidelines, standards, and procedures). Employees are responsible for seeking guidance when the security implications of their actions (or planned actions) are not well understood. Information security personnel need employees to participate, observe and report.
Third parties such as contractors and vendors must protect your business information at least as well as you do yourself. Information security requirements should be included in contractual agreements. Your right to audit the third-party’s information security controls should also be included in contracts, whenever possible. The responsibility of the third-party is to comply with the language contained in contracts.
When is the right time to address Information Security?
On the surface, the answer is simple. The right time to address information security is now and always.
There are a couple of characteristics to good, effective information security that apply here.
Information security must be holistic. Information security is not an IT issue any more or less than it is an accounting or HR issue. Information security is a business issue. A disgruntled employee is just as dangerous as a hacker from Eastern Europe. A printed account statement thrown in the garbage can cause as much damage as a lost backup tape. You get the picture. Information security needs to be integrated into the business and should be considered in most (if not all) business decisions. This point stresses the importance of addressing information security all of the time.
Information security is a lifecycle discipline. In order to be effective, your information security program must be ever changing, constantly evolving and continuously improving. Businesses and the environments they operate in are constantly changing. A business that does not adapt is dead. An information security program that does not adapt is also dead. This is just another point to stress the importance of addressing information security all of the time. Perhaps your company hasn’t designed and/or implemented an information security program yet, or maybe your company has written a few policies and that was that. When is the right time to implement and information security program? When is the right time to update your existing program? You have the option of being proactive or reactive. Proactive information security is always less expensive. Less expensive is important if your company is into making money as most are.
Where does Information Security Apply?
You may recall from our definition in “What is Information Security?”, that fundamentally information security is:
The application of Administrative, Physical, and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of information.
In order to gain the most benefit from information security it must be applied to the business as a whole. A weakness in one part of the information security program affects the entire program. Now we are starting to understand where information security applies in your organization. It applies throughout the enterprise.
Where does information security apply? It applies throughout your organization. An information security assessment will help you determine where information security is sufficient and where it may be lacking in your organization.
Hopefully, we cleared up some of the confusion. If you have questions, contact us!