Ensuring information security
“It's vital that your company recognizes the risks of handling sensitive and personal data.”
Data loss strikes fear in the heart of the CIO. Losing confidential data can damage customer confidence in your brand, directly impact revenues and get you into trouble with regulators, as many companies have found out to their detriment. Daniel Anastasi explains how to ensure that your data is safe.
The rise of cloud computing has put data security in the spotlight, with the Chief Information Officer (CIO), Chief Security Officer (CSO) and IT managers asking cloud service providers how they ensure information security - specifically data protection in a cloud computer environment.
However, cloud computing has not introduced a new risk; rather it has brought to the fore key and vital questions about information security, namely what, where and how do organizations protect their important data.
Unfortunately, there are still a significant number of organizations that do little to ensure adequate data protection, which has led to continuing data breaches across all industries. Well-known consumer companies have lost critical customer data in hacking attacks and have suffered serious reputation damage by not immediately disclosing the problem to customers.
The Identity Theft Resource Center tracks all recorded breaches and identified 662 in 2010, up from 498 in 2009 - and says that many more go unreported. These breaches directly affect revenue, with the Ponemon Institute calculating the average cost of each data breach in the U.S. at $7.2 million.
In addition to reputation and revenue loss, all companies are subject to regulations and legislation around data security. These include: the European Data Protection Directive, the Swiss Data Protection Act, the USA Patriot Act and the German Federal Data Protection Act.
Instead of waiting until they have had a breach, an increasing number of companies are taking a systematic approach to ensuring that their data security protection is in place and effective. There are several methodologies available to help them do this, including COBIT, ISO 27001, Management of Risk, NIST, and the Deming Wheel.
The Deming Wheel helps managers analyze and measure identified sources of variation that cause products to deviate from a specific requirement. It mandates continuous monitoring to increase the quality of service and assure compliance. The cycle consists of four stages: plan, do, check and act, as follows.
First, identify existing and forthcoming local data protection regulations and legislation, then undertake a risk assessment to understand what the regulations demand. Second, launch a pilot to allow your organization to understand the risks and difficulties in advance of full implementation. Third, assign a stakeholder who will assess the efficacy of the pilot through audit and review. And fourth, rectify all outstanding weaknesses identified in the previous stages.
Data protection and security is a challenging topic, and an Information Security Officer is well placed to lead the initiative. His role allows him to gain a very broad and deep knowledge about the data flow (location of sensitive data) inside the organization.
It's vital that your company recognizes the risks of handling sensitive and personal data, which can be approached by a Risk Assessment. You will need to create, implement and enforce appropriate policies, practices and procedures to avoid a data protection breach. In addition, follow the guidance of your regulatory bodies in applying their code of practice. Finally, resolve all known issues in your servers hosting critical data.
Daniel Anastasi is a CISA, CISM, ISO 27001 Lead Auditor, and qualified Senior Security Consultant within Global Services at Orange Business Services, where he has developed market-leading expertise. Daniel can advise organizations on security-related questions and provide Information Security Officer expertise to help them with the design and implementation of sound information security policies.