In recent months there has been a veritable downpour of media coverage about the the security of your digital information. Issues such as the Heartbleed bug, defect in Internet Explorer and the eBay database compromise have been particularly well covered. A quick review of history will clearly show where wars have been won and lost, or empires fallen due to intercepted information; everyone knows that information security matters. While you might not be playing for empire your hard won reputation is certainly on the line.
So how do you determine the best way to protect your and your clients’ information while at the same time taking advantage of the benefits of digital business, mobile technology and cloud storage?
Risk management techniques, traditionally applied to safety cases for major engineering projects, can be very usefully applied to establish a response to a possible breach of information security and most importantly define procedures for proactively managing information security.
Applying risk management to information security
Your business will have many different types of information flowing through its processes, from marketing material about your services to personnel details and future plans and strategies. Many of your businesses will also have confidential information about your clients the loss of which would have a major impact on your reputation.
These different types of information need to be handled differently, after all you want as many people as possible to look at your marketing material, but only a few to handle the personnel files.
1The first step to applying risk management techniques to your information security is to list the broad categories of information that you handle, for example:
- Plans and Strategies
- Client confidential information
- Bidding documents – general
- Bidding documents – specific deal
- Marketing information
Note the distinction made in the list between the general case of bidding documents, and those for a specific deal. This distinction might be required due to specific clauses, liabilities in some cases that warrant the information being treated differently.
Take care not to make too many unnecessary distinctions however since this will make the process much longer and will provide little additional benefit.
2For each of the categories of information you need to brainstorm the “hazards” that could result in an information breach for that category. These need to consider different types of hazard, such as wilful release, bribery, leaving a printout on train, stolen laptop.
3For each category the list of hazards is then assessed against the likelihood of the hazard occurring and the consequence if it does occur.
How likely is it that the hazard occurs? A simple scale of Unlikely/Likely/Very Likely should be considered for each hazard.
What are the consequences if the hazard did occur? When considering this dimension you should consider financial and reputational impacts to yourselves and where appropriate your clients. Again employing a simple scale of Low/Medium/Significant is in most cases sufficient.
The combination of a likelihood and a consequence is assigned a “risk”. This is normally plotted as a simple matrix for each combination, the risk labels assigned need to consider the difference between something that happens frequently with a low consequence compared to something that is very unlikely to happen but if it did the consequences would be significant.
4The risk is then used to devise mitigating actions for those hazards that exceed a threshold that you determine – obviously starting with those that present the highest risk first.
The mitigating actions can reduce the risk in two ways, firstly by putting in place mitigation actions that prevent an occurrence of a hazard, i.e. an action that reduces the likelihood, or alternatively by putting in place a mitigating action that reduces the consequences. Dependent on the type of information, it might not be possible to impact the consequences should an information breach occur, in which case the focus is obviously on prevention.
Once again it is typical for a company to develop a set of standard mitigating actions for different types of information and risk. These actions should be included in a corporate policy document for information security.
An example of suitable mitigating actions for different levels of risk could be:
|Assessed risk||Mitigating actions|
|Low||No specific additional actions required (note this assumes that basic measures such as password protected accounts and secure storage is provided)|
|Medium||Undertake a regular review of system logs where available for unexplained access.|
|High||Information secured to specific users only.
Implement review process for granting access to people.
Only stored on laptops with encrypted hard drives.
Enhanced information security training for users.
Cloud storage must be auditable and secured by 3 factor authentication.
|Extreme||Project or information specific measures.
Not on laptops.
Printouts shredded on nightly basis.
Printouts handled by secure courier when outside building.
5The final step is to regularly review the risk assessments you have carried out, considering changes in the threat landscape (such as an announcement about a new vulnerability), the types of information your company is handling (for example controversial new projects) and new technology that may be available to protect your information. These changes may present new hazards, change the likelihood or consequence and they could enable you to take advantage of new technology in a controlled manner – saving time and money for you and your clients.
Undertaking a review
An information security risk review can be completed in about a day using a small team and can provide valuable input in dealing proactively with information security. Such a risk review is an important step to being able to demonstrate that your company is following best practice and will re-assure your customers.
Sauve Solutions can facilitate this workshop using experienced risk professionals to assist you in defining a clear strategy for your information security.
There will always remain a tension between effective information security and ease of use. Having an effective strategy for your information security is vitally important since three things are certain
- Your staff and clients will increasingly want information quicker, at a location and on a device of their choosing. New technologies such as cloud storage will be increasingly pervasive and invisible.
- As projects and reputations become larger, valuable information will remain of interest to other parties.
- Techniques for obtaining your private information will increase in sophistication.
Putting in place a framework to assist you in proactively managing the security of your – and your clients information – will give you the ability to confidently utilise the latest technology options as a means of communication – even for sensitive information and documents.