This is the first installment in the “Getting the Facts Right” series of articles by Lamuel Longwe. You can find the second installment here.
First of all why should we bother about the protection of data or information and its supporting technology? In the present day virtual economy, information is the lifeblood of an organisation and it defines its profitability, survival or failure. The principle is that information is vital and without it the ramifications can never be in our favour.
The input, processing, output and storage of data is our starting point and its protection is paramount. Information in essence has to be defined, classified, have an intended purpose, and can be stored or retrieved in manner that is agreeable to specific standards without prejudice. The underlining principle is that information assets and the technology supporting it should be protected. Protection of information assets should encompass key components that ensure their confidentiality, integrity and availability. It is the responsibility of the organisation to ensure that its information is protected in compliance with internal policies and procedures, the companies act, legal and regulatory requirements to name but a few.
Since information has become such a critical asset for the survival of any organisation. It now calls for each organisation to protect it using various controls. For a start, information should be protected based on the level of risk or classification. Depending on the nature of information utilised by the organisation, financial, medical or credit card data etc… there are different procedures out there to apply basic protection.
Firstly organisations should put in place policies for handling and classifying data. Data should be classified as Public, Confidential or Top secret. Once such classifications are in place then controls should be applied to meet or commensurate with the classification levels. Note that data cannot be classified if it’s not inventoried. Thus organisations need to know where their data is, either in transit or situ.
There are so many regulations out there that mandate senior management to protect data accordingly. Therefore, the objective is for the organisation and the individuals who have been delegated the responsibility to direct these institutions to understand the importance of information and its impact on operations and financial reporting. It is also essential for them to appreciate the legal and regulatory requirements that may affect organisational data and how its internal policies and procedures will be structured. It is their responsibility and they are accountable for it, and as such they require continuous reminders, training and expert assistance on the protection of information assets.
The underlying principle for board and management is to mandate through action that the security architecture (policies, procedures, controls, standards) ensures the confidentiality, integrity and availability of information and the technology supporting it. In brief, organisations should take into account the following key pointers to protect critical information:
- Information security policy;
- Risk Analysis and management;
- Logical access controls;
- Network infrastructure security;
- Environmental controls;
- Physical access controls;
- Processes and procedures for information processing (confidential and non-confidential);
- Legal, regulatory and statutory requirements;
- Vulnerability and Threat management;
- Information Security Awareness training.
Now that we have covered the basics, it is important that going forward we expand on this very important topic to ensure that we each have a clear understanding about data and information and their protection. The purpose is to inform, educate, reinforce and provide a platform where assistance may be obtained to sure that organisations and individuals alike are protecting information assets in manner that is permissible and agreeable to the powers that be.
Internet-based business communications – including the transfer of files containing business-critical data – are central to most organisations’ productivity in what is a highly competitive business marketplace. Despite the important nature of these communications, there are surprisingly few options for conducting this aspect of day-to-day operations easily, securely, and with the ability to centrally manage and track the transfers.
The problem is amplified by file size restrictions imposed by various IT platforms and even departments. And this is before the security vulnerability inevitably rears its ugly head. These issues are well known by cyber criminals, who are only too keen to exploit unmanaged and unsecured file transfers taking place in the corporate world.
There, organisations should without fail ensure they put in place appropriate information security controls to protect data as it moves across the internet, between business partners or other third part providers.