Decide How Much Protection Is Afforded

A risk analysis is needed to quantify the proper level of security based on the value of the information assets, the threats to the system and information, and the amount of harm that can be caused if they are lost, altered , or disclosed. This process should include some indication of the size and type of investment that the asset represents, the impact on the organization that the loss of the asset would represent, and the ease with which the asset may be replaced . The type and size of the threat must be evaluated, as well as the availability and effectiveness of security precautions and countermeasures. Once the whole picture is understood , then informed decisions can be made.

A risk analysis is required to understand the potential impact on operations and to justify the expenditures on security. This analysis should include a thorough information resource inventory and threat assessment. Security reduces risk. To determine the level of security required, one must understand the probability of a security incident and the scope of the damage that the incident could cause.

An enterprise-wide risk analysis is required to collect all of this information. This is by no means a small task. Since everyone in the organization handles information, it requires significant support from management and involvement from individuals throughout the organization.

Value of Information Assets

Information is an important corporate asset. A company's information represents its competitive advantage. It is this intellectual property which differentiates a company from all other companies. IT deserves a level of protection second only to the company's employees .

Not all information is viewed by the law as needing the same level of protection. However, much of a company's proprietary information can be just as valuable to the organization. Next to your employees, information is your most valuable resource. It is more valuable by far than the computer systems that contain it. This is the target of the professional corporate hacker.

An organization which has private information about its customers is a more likely target. This private information can be as common as credit card information or as specific as personal itineraries . Credit card theft is one of the most common types of information theft. However, the theft of more personal information ” where one will be or personal or family information is much more alarming.

Company information comes in a variety of categories. Here are some general categories, each with its own security issues.

• Public information: Information about the company that is readily available from a number of sources.

• Company confidential information: Information that is not to be shared with anyone outside the company.

• Proprietary information: Information that gives the company a competitive advantage. This could be the secret recipe or business plans.

• Personnel information: Information about employees. This could include payroll information, names , addresses, or birth dates.

You must define what the appropriate categories are for your business and then you must classify all your data by these categories. Once these categories are defined, you should develop security policies for each classification. These policies should define what is required for access, modification, and deletion, and what level and cost of security measures are required for each classification. Data classification is the first step toward data security.

Threats to Information Assets

Threats are those things that have the potential to cause losses. Threats are always present. They are outside the direct control of the organization. The threats themselves cannot be eliminated, only anticipated, but safeguards can be put in place to minimize their impact. The threats to assets should be assessed ( denial of service, destruction, disclosure of information, theft, and unauthorized access). The examination of threats must include a discussion of both the probable and maximum possible impact of the realization of the threat, including both direct impact and flow-on consequences.

The size and type of threats are based in part on the type of business the organization conducts and the level of technology embraced. To fully understand the threats, not only do the sources of the threats need to be examined, but one must also examine the organization as a prospective target. The malicious threat to an organization is often based on the organization's image or perceived image, or the organization's business activities and associations. Good employee and public relations can be the greatest tool to minimize malicious threats. In this area, perception is truth. That is, the truth is not as important as the perception, since it is this perception that the attacker is responding to, whether it is a disgruntled employee or an external attacker. These threats need to be recognized and understood so that appropriate security measures can be implemented to minimize the potential losses.

Information systems face a variety of threats including computer-based fraud, espionage, vandalism, accidents, natural disasters, computer viruses, and computer hackers. As the world's dependence on information continues to increase, threats become more widespread, more ambitious, and increasingly sophisticated.

Losses

The severity of loss of a specific resource depends on the importance of the resource to the organization and the timing of the loss. Information can be valuable because of what it is worth to the organization. The timing of the loss can have a dramatic impact on the cost of the loss ” such as information disclosure just before important decisions are to be made, or the inability to access information systems when the information is needed.

Unauthorized access to information may represent the loss of an asset, even though the information is still available to the organization. Security requirements should vary, depending upon the importance of the particular resource. Security cannot make it impossible to suffer a loss. What it can do is reduce the likelihood and make the cost of a malicious attack prohibitive for the information gained .

To completely understand the impact that a loss will have on a business, a business impact analysis should be performed. Often there are significant downstream effects that may not be initially apparent. This information is not maintained in a vacuum . It is used for business decisions that affect the organization and its employees, partners , creditors, and competitors . Poor business decisions can have significant, far-reaching implications. There are also issues of collateral damage: the impact on things that were thought to be unrelated but, due to location or other circumstances, are affected by the incident or the response to the incident.