Information KAGE security framework

I created the Information KAGE risk management methodology to provide a high level security framework for corporate executives and corporate information security officers to simplify management’s process for developing an information security strategy to address information protection risks. Information KAGE is a simplified risk management methodology derived from other information security risk management frameworks to manage confidential information security risks including corporate data and identity theft risks. The security framework simplifies the process used for developing an information security strategy and its unique acronym makes it easy for management to remember the principle steps when building the strategy. The Information KAGE security framework can be used by companies and their corporate executives responsible for corporate information protection to create and maintain a continuous information risk management and safeguard process. Such security framework is necessary to ensure continued protection of business confidential information including personal information of clients and employees.

Information protection directives must always be based on current risks facing the companies and individuals. It would be naïve and unproductive to assume that once an information protection policy and strategy is developed, it is final and can be stored for future reference. Many companies make the mistake of developing information security policies without any regard for continuous risk management, communication and monitoring. An information security policy is only effective when it is developed and revised based on current risks and communicated to all employees who must be aware of such policy in order to follow management directives for protecting confidential information.

Know – When developing an information security strategy, executives must first identify and Know what information they want to protect for their companies. For each company, business confidential information types may be different. For example, confidential information may include various trade secrets and employee or consumer personal information. Depending on type, format or amount of information available, management must decide what information is important or rather vital to the success of their business. Each type of business information may provide a varying type and amount of risk to the company. For example, a consumer personal information breach may lead to identity theft, identity fraud, and potential lawsuits. Or, a loss of trade secret or intellectual property may result in loss of business and revenue. Therefore, for each business, management must decide what information is important to their businesses based on the risks that they might present.

Next, management must also decide and Know how they intend to protect the information. In order to develop an appropriate information protection strategy and policies, risk assessments are required to identify risks associated with corporate confidential information. Such risks may be derived from the unnecessary collection and sharing of data, lengthy retention of data, unsecured storage location, inappropriate disposal and handling of information, as well as unauthorized disclosure and edits. Once corporate executives know what information to protect and how they want to protect them, they formally document their information protection scope and vision through security strategies, policies and standards.

Articulate – Upon documentation of the information protection scope and strategy, management must Articulate their security scope and strategy to the entire company. Communication related to the creation and revisions of the documentation can be made through e-mails and other means however all security documentation related to the strategy, scope, and responsibilities must be made available to all employees at all times.

Guide – Sometimes, employees have a hard time understanding and interpreting the security requirements and purpose and therefore management must make an effort to Guide and help employees to understand what is expected of them to help the company better secure its confidential information. As part of the communication, security guidelines can be provided to help employees implement and follow the strategy and policies. Information security guidelines are meant to provide direction for employees to follow and reach the desired security protection goals. Information security awareness training can also be developed and provided periodically to educate employees, reinforce the requirements, and confirm employees’ understanding of those requirements.

Enforce – Following the creation and communication of all relevant information security documentation related to the scope and strategy of the security efforts, management must Enforce compliance with its security directives through continuous monitoring. Enforcement and monitoring can be automated in some areas or manual in other areas. The principle goal is to ensure employees are following management strategy and directives for protecting confidential information and security risk exposure is kept to the minimum at all times.

Return to workplace information protection from information KAGE security framework.