Obtaining information in a quick and flexible manner is an important factor of any successful business. In many cases, information is the differentiating production factor, because obtaining the right data quickly allows you to make the right decisions in due time and, in doing so, allows you to get ahead of the competition. While that kind of information collection entails great opportunities, it also involves great risks.
Information security addresses all security aspects of information in spoken, written, electronic or any other form. Its goal is to make this information accessible to those who are entitled to it, while at the same time protecting it against loss and unauthorized access or modifications. Summarizing, we can state that those objectives are reached when:
- All information systems are available, they can be deployed when necessary, and they are able to withstand an attack or to recover from potential errors in an adequate manner (availability)
- All information is only accessible to those who are entitled to it (confidentiality)
- All information is protected against unauthorized modifications or errors so that it is and remains correct, complete and valid (integrity)
- Every electronic transaction or information exchange between companies, clients, suppliers and partners is completely reliable (reliability)
To meet these quality requirements, a good policy in terms of information security is required.
Responsibility lies with IT as well as business management
Obviously, information in organizations is often managed and processed in IT systems, and IT management carries the important responsibility of guaranteeing security in and around these systems. However, evidenced by many security incidents and recent legislation such as GDPR (General Data Protection Act), it seems that this silo approach does not suffice. A good information security policy starts with the owner of the information, the business itself. So, to achieve a well-working information security system, it is important that the business and IT management create a mutual framework within which an information security program is shaped and can be monitored.
The success of such a security plan can only be measured when clear objectives are proposed together with their corresponding metrics. Objectives and their metrics for information security have to be defined at the level of business and IT and their mutual relationship should be transparent.
Get to work
Many business managers must upskill themselves from business to IT and vice versa. After all, drawing up an effective security plan requires insight in business as well as digital strategy and processes, combined with knowledge of existing frameworks that help translate conceptual insights to a practice-oriented approach for the organization.
One of the most available practical frameworks that offers several clear guidelines for information security is COBIT (Control Objectives for Information and related technologies). COBIT merges a number of good practices for the management, surveillance and security of information security in general. Other frameworks that are often mentioned in the domain of information security are ‘ISO 27000’ and ‘The Standard of Good Practice for Information Security’. Both frameworks are very complementary to COBIT and are used as one entity to create a fitting information security policy.
Translate business to IT yourself, use existing frameworks and draw up an integrated security plan.