Where is the information in ‘Information Security’? 

Businesses have forgotten why they are trying to protect their systems.

Information Security is synonymous with information systems security, but no attention is being placed on the information itself.

Bringing information back to the forefront of our thinking, and understanding what we are trying to secure, is one of the most important aspects of information security, followed by why and how the loss of information can impact a business.

How can we possibly allocate security budgets and resources if we don’t understand what information the business is trying to protect?

Information is one of the most important assets of a business. 

Yet many businesses don’t know what information assets they have, their value to the business or importantly the value of the information to others.  Information assets should be accounted for in the same way other assets are accounted for – you know how many staff you have and where they are working, you know how many computers you have and whether they are online or offline, you know how many vehicles you have and whether they are road-worthy.  But do you know what information assets you have, where they are stored, how to access them and what protection methods you need to employ?

Without understanding what information assets you hold, where they are stored, their security classification and the importance of them to your organisation, how do you know what security measures need to be employed and what the consequences are to your business if they are inaccessible, stolen or changed.

The main threats to your systems and information assets come from:

  • Disaster events – loss of access to your systems leading to no access to your information.
    e.g. following a flood event or earthquake, damage or no access to your datacentres or workplaces.
  • Deliberate attacks – such as denial of service attacks which leads to unavailability of your information.
    e.g. an intruder consumes all the available bandwidth on your network by generating a large number of packets directed to your network.  This overloads the network and prevents you accessing your information.
  • Exploitation – This involves a direct attack, but this time it is exploiting the information you hold, rather than merely attacking the network.
    e.g. using malware (malicious software) such as spyware to covertly monitor and collect information.
  • Employee accidents and negligence – an employee has lost company information in a public place, deleted it, incorrectly shared it with another organisation or simply saved it in a location that no one else can access.

Whether your systems have been attacked by a third party, a disaster event has caused an availability issue of the system, or an employee has left a USB on the train, ultimately doesn’t matter.

What matters is knowing what the consequences are – has your information been seen by others, stolen, or changed in any way?

Ultimately, the response your organisation has to an incident will depend on the criticality of the information in question.

Information Classification Tool

Below is a simple approach that can help you understand what information you hold, where it is stored, it’s classification and how important it is to your organisation. This in turn provides you the level of information you require to determine the most appropriate security measures to protect them.

  • Conduct a Business Impact Assessment – this outlines the critical output functions and critical information assets for each business unit and lists the information systems that support these functions and information.  This way you can prioritise the systems for both security protocols and disaster recovery/business continuity protocols.
  • Identify and security classify your information assets.
  • Identify the information owner and custodian.
  • Maintain an information register so that you have access to up-to-date details on what information is stored where, and what its’ criticality to your business is.
  • Apply controls and security based on the security classification and the business impact assessment.

Does your organisation understand its critical information assets?  Do your employees understand the classification and controls placed upon those assets? Can you quantify the impact to your organisation if your information was lost, stolen, inaccessible or changed in any way?