Corey Schou and Dan Shoemaker’s Information Assurance for the Enterprise: A Roadmap to Information Security addresses the breadth of issues that make up a comprehensive security system. The ethical considerations section of the book was particularly interesting in part because it reminds the reader of the responsibility and discretion that is still in the hands of the leadership of enterprises. The book also reminds us that comprehensive security involves a full understanding of all of the components and that a weakness in one component puts information at risk. I recently spoke with Schou.
What is IA and who is responsible for it?
IA is information assurance and includes everything that protects the information assets of the organization. It includes everything from computer and network security to privacy and personnel actions. The broad reach of information assurance is extended further by asking individuals to assume responsibility for the entire lifecycle. Who is responsible? We all are responsible for information all the time. We must protect the confidentiality, availability and integrity of information. Once we know that we are all responsible, it is critical to know that the most cost effective way to protect your information is not technology nor policy and rules . . . it is training and education. The only way you can be sure that your information is secure is if each employee knows how to protect his or her part of the information assets.
Why do many organizations not know what information they have or what threatens it?
Organizations always know what their classic assets are . . . inventory, cash, debts, etc. However, these all appear on the balance sheet or the P&L. Information does not appear in the financial accounting system therefore, it appears to have no value. So, let’s look at it from the standpoint of the manager.
I can invest $1,000 on a new inventory control system and protect $100,000 in parts or I can spend $1,000 to protect the information assets. That is a no-brainer. The IT manager can calculate an return on investment for the former . . . the second is a wild guess.
Securing information is a growing problem as technology allows more places to gather more information. Is information gathering technology in line with the protections needed to safeguard the information?
It is important to separate confidentiality and privacy. Organizations have an interest in confidentiality while individuals have an interest in privacy. The tension between these leads organizations to gloss over the personal. The president of an organization does not want his personal information (privacy) to be added to a large data mining activity no matter how closely held the information is. The confidentiality-privacy argument becomes much easier when one personalizes it.
Is it really possible to build an IA strategy that is continuously effective and reliable over time? If so what are the hallmarks of the strategy?
Hallmarks of an effective IA strategy are: 1. High level management buy-in.
2. A well articulated organizational policy for information protection.
3. A tactical plan that is derived from this policy that empowers individuals to act.
4. Operational flexibility that allows the organization to adapt to new threats.