subject: How Secure Is Your Information? [print this page] Businesses are dealing with more and more data. As the quantity of information increases, so does the obligation to provide a system of controls and measures to ensure its security.
A poorly constructed information security system can lead to all manner of threats to an organisation's reputation and operations as well as to its legal, financial and strategic security.
By contrast, a well constructed information security system builds confidence and trust in an organisation. One of the most effective ways of ensuring the security controls are sufficient to withstand threats is by ensuring they comply with international security standards such as ISO 27001.
One of the first steps of satisfying ISO 27001 is for an organisation to conduct an information security risk assessment, the findings of which are then used to set up appropriate controls and measures within an information security management system (ISMS).
The involves a thorough risk analysis of current and future information handled by an organisation and the systems used to store, process, distribute and delete the data. It comprises 3 basic stages:
Stage 1 - Information gathering and identification
The first stage is to develop a detailed knowledge of current information assets. An organisation needs to ask itself "what assets do we have and how are we storing, processing, distributing and deleting them".
The resulting list should include technical information such as network maps, hardware and software inventories, databases and files and processing arrangements.
Then there is the non-technical information to consider. Policies, standards and procedures for physical security, personnel security, contracts and a host of other similar documents all need recording.
To be really thorough this information audit should also include an analysis of how the information flows internally and externally.
Stage 2 - Information analysis
Once an organisation has a clear idea of their information assets and systems the next stage is to:
a) Classify and rank their information assets and systems.
This includes an assessment of their function, importance and sensitivity. To help carry out this task it is a good idea to adopt some form of information classification that identifies and ranks data, systems and applications. This aids consistency and helps focus resources in a structured manner.
b) Assess threats and vulnerabilities.
The next step is to identify threats and vulnerabilities within current information systems.
Threats pose a danger to the confidentiality, integrity or availability of information. Whereas vulnerabilities expose weaknesses in the information system and its controls that can leave it open to exploitation, disclosure, misuse, tampering or destruction.
Stage 3 Risk rating
The final stage of an information security risk assessment is to rate each risk.
Considerations for rating risks should include a) the probability of it occurring, b) the sensitivity and importance of the information and c) the impact any kind of corruption, loss or leak of this information may have on an organisation.
Many organisations may attempt to tackle their own risk assessment, however what can seem a fairly simple task at first can easily turn into a logistical nightmare. Enlisting the help of ISO 27001 professionals will make sure your information security risk assessment is a pain free and thorough process from the start.
