When we think about information security strategy, we are generally concerned with decisions about a) what information we want to protect, b) how much protection we are willing to provide given the information risk, budgets and resources, c) how do we want to provide the selected level of protection, d) how long are we going to protect the identified information, and e) who would be in charge of the information security strategy and protection.
Security professionals are usually concerned with confidentiality, integrity and availability of the information that require our attention and protection. In general, there are two categories of information that require protection within any company; business confidential information and customer personal information. Of course, one would think that collected customer private information should be considered a confidential business information that must be protected, however, in the world of information security, each piece of data or information is not always equally important to require the same level of protection as every other data. In fact, we may not even care about protecting certain information if the company management decides so based on their risk assessment.
As management decides to care about protection of certain information, the degree to which protection is provided varies depending on the level of risk. In other words, an information risk assessment is required to classify any and all data within any company to determine the appropriate level of protection. Depending on the nature of the company’s business and the industry in which it operates, information security strategy, classification and level of protection will vary based on the impact to the business or as dictated by the regulations if applicable. Once a general idea of "what needs to be protected" is established, a more thorough security risk assessment is required to determine the risk level (high, medium, or low) by addressing a) what can endanger data during the information life cycle (threat), b) what percentage or amount of the information may be threatened (vulnerability), and c) how big the damage would be (impact). Once the risk level is determined, the information security strategy may include prioritization, level of protection and decisions on the appropriate controls to be selected for the protection. The information life cycle I described was specifically intended for personal information life cycle and identity theft, however, the same philosophy can apply to all data and related information security strategy as every piece of information is created, shared and discarded at some point.
What information should we protect?
An adequate information security strategy would require a decision on what information to protect. As I indicated, there are generally two categories of information we must be concerned about, a) business confidential information including trade secrets, proprietary data and intellectual property, and b) personal information of clients and employees. Each of these categories presents various levels of risk depending on what industry our companies operate in and how much information of each category we possess. Usually, most businesses have business secrets that they need to protect, but not every company has huge amount of personal information to worry about. For example, a bank deals with a huge amount of personal information due to its inherent business model. Such information includes credit card numbers, cardholder names, social security numbers, address, phone number, and more. These are not typically the information that a spa business may possess other than charging customer credit cards for rendered services.
Business confidential information relates to any business trade secret or proprietary content and intellectual rights that if stolen and disclosed to business competitors or other interested parties, can disrupt business goals and aspirations to a great deal. For example, movies and related materials such as movie scripts stolen before, during or after a movie is produced can be used to disrupt sales or even kill a project, ultimately leading to financial losses. One good example in this area is piracy. Movie piracy is the entertainment industry’s greatest enemy and movies copied on various backup media and freely distributed while movies are still in post-production or movie theaters kill sales numbers both in the movies theater and home video areas.
Businesses must be conscious about the amount of information they develop or collect during the course of their business and be very specific about what the information is and where it resides within the organization.
How much protection is enough?
Once we identify the information that our businesses either create or collect during their business operations in the two categories (business confidential and personal information) described above, the information security strategy must be concerned about data classification and the level of protection. Such decisions are made within the company by its management as each piece of information may have a different level of importance to each company and its management. For example, a spa business may not place as much importance on protecting personal information as a bank might place.
Information security approach
Now that information is identified and importance or risk levels are defined for our business information, we need to think about how we want to protect the selected information. An information security strategy may include balanced implementation of some or all controls related to physical access, system access, authorization and approval of access to information based on business need, background checks, sharing with outside parties, information flow within operations, data retention, backup and recovery, security education and awareness training.
How long are we going to protect?
Data retention is a tricky one. Every piece of critical information that stays alive and in circulation for an unnecessary length of time contributes to additional business risk and identity theft. In fact, every piece of information that is unnecessarily collected or created (duplicate spreadsheets and files) as part of the business operations and kept alive for unnecessary length of time contributes to the overall company risks. The information security strategy must consider business needs and legal requirements when deciding how long to keep each piece of information. For example, certain data may be required to be maintained to support an ongoing litigation, therefore, such data must remain alive for as long as the litigation continues. On the other hand, duplicate data and unneeded information must be stopped from being created or collected while they are identified and discarded to reduce risks. Therefore, all information must be protected based on the company’s specific data retention requirements, which are developed, based on business needs and risk management requirements.
Who should protect?
Every one is responsible for information protection within any company.
Information security group - has typically the following high level responsibilities: a) determine security risks within the company, b) identify regulatory security and privacy requirements, c) establish a set of security polices and standards to address identified security risks and requirements, d) raise management’s awareness of identified security risks and requirements, e) evaluate operational and technological controls to ensure compliance with information security policies and standards, f) provide a system for reporting violations, g) follow-up with any reported violation of company’s security policies and standards, h) educate and train employees on information security risks, policies, standards and consequences of careless information handling, i) be a business partner by working with internal and external groups to win new business contracts and maintain existing client base, and j) maintain the information security strategy by reviewing and updating the overall security program as needed.
Business management - must decide what information they need and don’t need or what information poses the greatest risk to the company if lost, stolen, disclosed or tampered. Business management should also decide who could have access to any information and to what extent. For example, user access rights would be granted based on business need to allow either read or view and write or update capabilities. Access rights are to be reviewed by business management periodically depending on business area risks. For example, access to the payroll systems and files should be reviewed more frequently than less critical files. Management should also review its operations to ensure critical files are not unnecessarily disclosed (printed payroll files sitting in a shared printer), created, duplicated, shared, and discarded in violation of company’s privacy and information security strategy.
Information Technology management - should implement the appropriate level of security controls within a) systems that have been identified to process and store business confidential information as well as b) information technology processes, in accordance with information security strategy and directives. Information Technology must also support business management to administer system access, help identify critical business systems and data files, provide necessary access files to business management for review and approval of user access rights, provide technical capability to ensure confidentiality, integrity and availability of information.
Employees – have also certain responsibilities for the protection of business confidential information. They must educate themselves about the information security policies and standards. They should also understand and take responsibility for the consequences if they don’t follow company’s security requirements or ethical guidelines. For example, employees must not share passwords with each other or sell their company’s information to which they have access, which may lead to loss of accountability and integrity as well as identity fraud among other consequences. Employees should also support their companies’ information security, privacy and ethics processes by reporting any violations.
Return to the workplace security page from "information security strategy".