Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Computer Stolen from Insurance Provider Has Personal Information About 1,200 Villanova University students and staff members | Main | The State of Information Security According to E&Y »

Information Assurance: Make a Perspective Adjustment; It's All About the Business

Last week I was at the Computer Security Institute 33rd Annual Computer Security Conference & Exhibition where Chris Grillo and I also gave our post-conference seminar, "Effectively Partnering InfoSec and Privacy For Business Success". It was interesting to hear the folks attending both the conference and our seminar express their concerns related to information security and privacy. I am always intrigued by the various viewpoints of folks in not only different industries, but also of those who have very little experience in dealing with information security, privacy and compliance versus those with a great amount of experience. It is very noticeable how the viewpoints shift from trying to address primarily only technical issues (overwhelmingly those with little experience) to the viewpoint of incorporating the issues throughout the entire enterprise and into all processes through procedures, awareness and responsibilities (overwhelmingly those with much experience).

I was encouraged to hear mindsets changing from focusing primarily on tools and protecting the "network" to focusing on how to effectively protect the "information." There is a very distinct difference, and this shift in how safeguards are applied around specific types of information, as opposed to enterprise networks as a whole, has in many ways simplified practitioners' jobs, as they themselves have indicated, as well as made their efforts more effective. Such a change in perspective has made them more aware of the need to identify and classify their data more than they did with a technology-only perspective, and they have also indicated that this shift in perspective has resulted in a nice and pleasantly surprising shift in their business leaders who understand better about the need for protecting specific types information, such as personally identifiable information (PII), than they ever did about denial of service attacks, firewalls, malware, and so on. In fact, one CISO I spoke with said he wished he had realized this years ago...that he could have saved much time beating his head against the wall to get information security initiatives approved if he had only approached information assurance from this more business-centric perspective instead of the typical network-centric perspective.

It should be, after all, "information" security and privacy, not "IT" security and privacy; IT is a subset of the total effective information assurance effort, even if the information assurance responsibility resides within the IT area.

I enjoyed speaking with many practitioners about the issue and challenge of just identifying the PII they have; how do they do it? How do they inventory and track the flow? How do they protect it in all forms? How do they help prevent user mistakes from happening that can result in PII compromise? How do they make sure their business partners, to whom they have entrusted PII, have good and effective safeguards in place? Etc...

All great conversations.

One especially important topic of discussion is holding your business partners, vendors, and other entities to whom you entrust your information, to a higher standard than your own organization for certain aspects of their information assurance programs. I wrote about this in September 2005 for the CSI Alert newsletter in an article titled, "Information Nannies: When outsourcing, hold data caretakers to a higher standard." When I get a few moments this week I will post it to my personal website.

Encryption was another great topic of discussion. How to do it, when to do it, where to do it, who should do it and why to do it. Basically, if your information is moving, either through a network or with human legs as a result of being stored on a mobile computing device or in mobile storage media, it is prudent to encrypt the PII. Then, even if the mobile device or storage media is stolen or otherwise ends up in the hands of someone who should not have it, the unauthorized folks will not be able to actually get to it.

The bottom line is the importance of implementing information assurance activities to support and protect the business. It has been said in many different ways before, but is worth repeating, that information assurance initiatives are not activities do just for the sake of doing them. They must be done to support business and to advance business by protecting the business information assets while also protecting the business by complying with legal, regulatory and contractual information protection obligations, and supporting your business brand by avoiding incidents. When you can manage your information assurance program from this business-centric perspective you will find you will be more successful with your efforts, and you will also have noticeably more management support of your efforts.

Infusing an information assurance mindset throughout your entire enterprise practices and processes will have a noticeably positive impact on improving security, privacy and compliance. Many information assurance practitioners in attendance, from a wide range of industries, attested to this.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on November 13, 2006 10:01 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/236

Comments

Information security takes most important place in Internet communication, because peoples more and more use computer and internet to make all kind of activities!
Information Security Awareness Training: Infosecuritylab http://www.infosecuritylab.com

Posted by: Infosecuritylab | November 17, 2006 6:34 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.