Information KAGE Security Framework
By Henry Bagdasarian
Information KAGE is a security framework developed to simplify the information protection risk management process and offer a roadmap to corporate executives and security professionals for developing a strategy which addresses information protection risks. Information KAGE simplifies the risk management process to effectively protect all business information assets.
The Information KAGE security framework is so simple that its unique acronym makes it easy for management to remember the main steps when building the information security strategy. The Information KAGE security framework can be used by companies and their executives responsible for corporate information protection to create and maintain a continuous information risk management and safeguard process. Such security framework is necessary to ensure continued protection of business confidential information including personal information of clients and employees.
Information protection directives must always be based on current risks facing the companies and individuals. It would be naïve and unproductive to assume that once an information protection strategy is developed, it is final and can be stored for future reference. Many companies make the mistake of developing information security policies without any regard for continuous risk assessments, communication, and monitoring. An information security policy is only effective when it is developed and revised based on current risks and communicated to all employees who must be aware of such policies in order to follow management directives for protecting confidential information.
Information KAGE Security Framework
Know – When developing an information security strategy, professionals must first identify and Know what information they want to protect for their companies. For each company, confidential information types may be different. For example, confidential information may include various trade secrets and employee or consumer personal information. Depending on type, format or amount of information available, management must decide what information is important or rather vital to the success of their business. Each type of business information may provide a varying type and amount of risk to the company. For example, a consumer personal information breach may lead to identity theft, identity fraud, and potential lawsuits. Or, a loss of trade secret or intellectual property may result in loss of business and revenue. Therefore, for each business, management must decide what information is important to their businesses based on the risks that they might present.
Next, management must also decide and Know how they intend to protect the information. In order to develop an appropriate information protection strategy, risk assessments are required to identify risks associated with confidential information as well as the required countermeasures such as policies, procedures, standards, and guidelines. Risks may be derived from the unnecessary collection and sharing of data, lengthy retention of data, unsecured storage location, inappropriate disposal and handling of information, as well as unauthorized disclosure and edits. Once executives know what information to protect and how they want to protect them, they formally document their information protection scope and vision through security strategies, policies and standards.
Articulate – Upon documentation of the information protection scope and strategy, management must Articulate their security scope and strategy to the appropriate parties. Communication related to the creation and revisions of the documentation can be made through e-mails and other means however all security documentation related to the strategy, scope, and responsibilities must be made available to all affected employees.
Guide – Sometimes, employees have a hard time understanding and interpreting the security requirements and purpose and therefore management must make an effort to Guide and help employees to understand what is expected of them to help the company better secure its confidential information. As part of the communication, security guidelines can be provided to help employees implement and follow the strategy and policies. Information security guidelines are meant to provide direction for employees to follow and reach the desired security protection goals. Information security awareness training can also be developed and provided periodically to educate employees, reinforce the requirements, and confirm employees’ understanding of those requirements.
Enforce – Following the creation and communication of all relevant information security documentation related to the scope and strategy of the security efforts, management must Enforce compliance with its security directives through continuous monitoring. Enforcement and monitoring can be automated in some areas or manual in other areas. The principle goal of enforcement is to ensure employees are following management directives and supporting the strategy for protecting confidential information and keeping the security risk exposure to the minimum at all times.
Return to workplace information protection from information KAGE security framework.