Principle 1 - Analysing the Protection of Your Information and then Applying Controls
The first principle of information security is analysing how the information is:
- protected, then
- apply relevant controls that will ensure it
- stays safe and secure.
Your information can come from many sources, including (but not limited to):
- individuals
- teams
- customers or
- contractors.
Information is an extremely valuable asset. You wouldn’t let your factory just take care of itself. Your team maintains the building. You protect it. You insure it. You lock it up when it’s not being used. It’s a vital asset, so you actively look after it.
Information should be no different. It’s an investment.
Storage of information could take multiple forms including:
- Digital (data stored via an electronic source)
- Material form (Paper-based documents, whiteboards, pin boards)
- Knowledge based (in the minds of your employees, customers or even contractors)
Transition of information could also occur multiple ways including:
- Digitally (email, Dropbox, messenger, using social media channels)
- Physically (through post, courier or personally delivering to a team member/customer)
- Verbally (at meetings with employees or casually mentioned across the office)
After listing all the relevant details related to your information, this can be further analysed with a risk assessment, which involves identifying the risks associated with each piece of information. Analysing these risks will help you to gain a deep understanding of what harm could be inflicted if that data is compromised.
Once you have a deep understanding, you then evaluate that risk against some kind of risk criteria to determine if the risk is acceptable to your business or not. At this point it can be quite confronting to suddenly clearly see the gaps and weaknesses in your current system.
The next step is to implement controls that will ensure your information continues to be well protected. You could do this by:
- Managing data on a fully redundant hardware platform where there is no single point of failure.
- Using hard disks that can be hot-swapped (this means that a technician can replace a faulty drive while the storage system is still working without data loss).
- Ensure your building has 24/7 alarm monitoring.
Finally, you have to monitor, maintain and improve the effectiveness of the controls. Information needs and demands change over time and with technology, so maintenance of the controls is an absolute must.
Your organisation will be at its most efficient when accurate and complete information is available in a timely manner to those with an authorised need.
Learn More:
