One of my acquaintances recently raised the subject of information security. Not surprising given it’s a specialist area for Enex TestLab, but his point was that less security conscious peers and workers tend to presume that information security is the domain of IT boffins.
The theory goes something like this: Hear the word security and somehow associate that with IT. True, IT systems generally need a level of security around them, but it doesn’t necessarily make sense that it is the domain of an IT practitioner. It is often by default that the IT admin shoulders security awareness tasks, well beyond their knowledge comfort zones.
Enex TestLab tests the security of things, it’s a specialist skill. Subjects will range from physical locking systems, alarm sensors, alarm panel transmission systems, paper shredders and equipment shredders, to IT systems security, firewalls, encryption, IDS/IDP, anti-malware systems and data wiping products. They’re all different security oriented systems, but do people defer to IT when they are buying padlocks?
In reality information security is the domain of those that generate the information in the first place. Only the information creator is aware of the value of that information. The custodians of aggregated information repositories, be it physical paper-based files and archives or electronic records and data, may not necessarily be aware of the level of risk the organisation is exposed to if that information passes where it shouldn’t.
So how much do those responsible for creating the information invest in ensuring its security. Do they seek out physical safes, alarms systems, locking mechanisms, and access control and identification systems (or more realistically IT, encryption systems, IDS/IDP, and firewalls)?
Are staff trained and aware of physical or electronic threats? How long must information be retained before disposal, and (depending on its level of sensitivity) how should it be disposed—by shredding (how fine?) wiping, degaussing, disk destruction?
More valuable information should, logically, require more security. But each piece of information, its creation, storage and disposal, has a different associated value, and so theoretically, cost to secure.
In reality, most businesses take one of two approaches:
A) Make all information security the domain of IT boffins, or, B) Put all information in the same basket, so all information (even already public information) is secured in the same manner.
It’s a bit like putting everything inside the garden shed including the plants and gnomes. Some things are better left outside, only the mower and tools really need protecting.
In some instances it’s actually more akin to using a safety deposit box in a bank to keep your mower and tools in, when the garden shed would do.
A more appropriate approach would have those responsible for creating the information valuing their information and assigning it a classification according to:
This way those who are authorised to handle and store the information (and ultimately destroy it) make the most informed decision about the expenditure necessary to protect it.
This is, effectively, treating information in the same way as physical asset, which leads be back to my acquaintance.
Information security does not start and end with IT experts, it starts with the information creator and owner and ends with the appropriate level of destruction. In between, the value of information should dictate the investment in protection—physical and electronic.
I am off to the bank to withdraw my mower, but first perhaps I need to take the lawn out of my garden shed.
It’s not hard to understand why bot management is critical to maintaining business availability and customer satisfaction – but do you know how to properly deal with bots?
Increasing use of encryption has created new challenges for enterprise security managers. Ever more-sophisticated encryption such as Perfect Forward Secrecy (PFS) protects data and may even boost your Google ranking – but it also provides a haven for malicious code that may use encryption to bypass enterprise security controls.
Why nation-state attacks are everyone’s problem
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.
An interview with CSO's David Braue and Ian Yip, Chief Technology Officer, McAffee.