Fundamentally, information security is concerned with maintaining the integrity of an organisation’s information and, in order to achieve this, you need to consider what information is; in what forms it is stored, processed and transmitted and by whom, which mechanisms are used and within what type of environment. These factors allow you to assess the vulnerabilities of information in its various formats and contexts, what threats are present and therefore what the risk is to that information.
When considering the risks around information stored in IT systems, these must include anything from the enterprise level systems management environment, to the USB stick on a key ring. These systems will hold information, or be capable of holding information, which should be classified by the organisation according to its sensitivity. Even devices which don’t have an end-user storage capability such as network devices hold device configurations. Disclosing this to unauthorised parties might compromise the desired obscurity of the network configuration or the intellectual property of the organisation which has defined the configuration in the first place.
The “wider than just IT” remit
In order to be truly effective the scope of information security needs to incorporate other factors and information beyond the remit of IT. For example, additional consideration needs to be given to information that is stored in non-digital forms: Contracts, financial documentation and HR records on paper are key information assets to the organisation and should be included in any risk assessment.
People are another part of the equation, in particular, who is going to access your information; employees, contractors, customers or third-parties? Once information has been read then it is transferred to a much more unpredictable storage medium; the human brain. Information that was once in a secure environment within the corporate building becomes “you’ll never guess what I’ve just read about!” on a mobile phone on a train. The reputation of your organisation is therefore an asset at risk. Once in the hands of people, your control over your information is reduced and other controls, both IT and non-IT, are required to protect the data, from encryption on portable media to awareness training.
When assessing the threats and vulnerabilities of corporate information, you also need to consider how you manage the information in a number of circumstances. This includes how you control the information assets in your company and how you ensure that your employees, contractors, customers and third parties are trustworthy enough to have the information, are trained in the importance of information protection and have contractual or legal measures to protect the company from any unauthorised disclosure. You also need to consider the physical environment in which the information is held. It’s counterproductive to have the most robust IT controls in place if someone can walk into an office or datacentre and simply stroll away with it.
Respond quickly to information security threats
The ability to respond quickly to adverse events will also act as a key way to control and reduce risk. The more prepared you are, and the faster you can react to any event which threatens the security of information, the better equipped you will be to limit any damage and recover more quickly. Incident management and business continuity therefore go hand in hand to address this requirement at different levels. Proper business continuity preparation is essential to reduce the risk of an incident occurring, minimise the impact if it does happen and enable fast recovery back to a normal operating model. This should include personnel education and awareness, good information flows, documented processes, communication plans, crisis management and business continuity / disaster recovery exercises.
Once all these factors are included with all the IT controls, they must be checked for compliance, which includes not only internal policies but also legal and regulatory standards. Many standards with which organisations need to comply will go beyond the IT systems and focus on the information itself, such as data protection legislation. Compliance not only includes the ability to confirm that your controls meet the documented policy or standard but also that their effectiveness in mitigating the risks, the reason the controls are there in the first place, can be appropriately measured.
The scope of information security
The scope of information security therefore includes elements such as IT operations, human resources, procurement, service management, physical security, incident management, business continuity, legal and compliance. There will be separate departments that implement and manage the controls within the organisation and it is the remit of information security to ensure that the processes they operate take into account the controls required to mitigate the risk and that cooperation is obtained for audit and compliance work. This should be in the form of a working partnership, not a dictatorship.
When you consider particularly the integrity and availability of information in addition to confidentiality, the scope increases further. As an example, physical security should include not just fences, locks, biometrics and CCTV, but also the physical attributes to maintain the availability of data. This includes measures to protect the building against environmental threats such as extreme weather, the stability of utilities such as electricity and the resilience of the cooling system in server rooms.
Security can be whatever you make it, and different models will fit different organisations. However, to properly consider all the risks to the information you need to protect, you need to think beyond IT and look at all the information that is of value to your organisation, in any format.