The first principle of information security is analysing how the information is:
Your information can come from many sources, including (but not limited to):
Information is an extremely valuable asset. You wouldn’t let your factory just take care of itself. Your team maintains the building. You protect it. You insure it. You lock it up when it’s not being used. It’s a vital asset, so you actively look after it.
Information should be no different. It’s an investment.
Storage of information could take multiple forms including:
Transition of information could also occur multiple ways including:
After listing all the relevant details related to your information, this can be further analysed with a risk assessment, which involves identifying the risks associated with each piece of information. Analysing these risks will help you to gain a deep understanding of what harm could be inflicted if that data is compromised.
Once you have a deep understanding, you then evaluate that risk against some kind of risk criteria to determine if the risk is acceptable to your business or not. At this point it can be quite confronting to suddenly clearly see the gaps and weaknesses in your current system.
The next step is to implement controls that will ensure your information continues to be well protected. You could do this by:
Finally, you have to monitor, maintain and improve the effectiveness of the controls. Information needs and demands change over time and with technology, so maintenance of the controls is an absolute must.
Your organisation will be at its most efficient when accurate and complete information is available in a timely manner to those with an authorised need.