Best Practices for the Protection of Information Assets, Part 1
This article series will discuss best practices for the protection of information assets, drawing from a wide array of sources. These articles are intended to be equally useful for a person studying for the CISA or any other reader interested in information security.
This first part, “Information Security Management (ISM),” will predominantly cover security procedures, policies, laws and compliance mechanisms, all of which are discussed with an eye to the needs of a decision-maker operating within an organization.
Information Security Management (ISM)
Information security management is probably the most important precondition for effective protection of information assets and privacy. There are several reasons for this. ISM:
- Supports security awareness and education (policies, procedures, audits, videos, training simulations, updates, enforcement of security…)
- Ensures compliance with laws, regulations and standards
- Upholds the CIA triad (Confidentiality, Integrity and Availability)
- Ensures protection of sensitive data
Commitment and support from the senior management based on well-defined, documented, and communicated roles and responsibilities is necessary for effective implementation of the ISM (IS security steering committee, executive management, security advisory group, CISO, CPO, asset/data/process owners, external parties, administrators, advisors, IT developers, IS auditors).
When making policies, ensure that:
- They exist and are enforced by management
- They are in line with the laws, regulations and privacy considerations (separation of duties is one technique that facilitates privacy among an organization’s members)
- Logs are being collected
Inventory and Classification of Information Assets
An information asset is a piece of information that is valuable to the organization. Examples of such information include personally-identifiable information (PII), intellectual property, trade secrets, financial information, board decisions and any other information of significant matter to the company.
Every piece of asset should be identified, evaluated, classified (e.g., public/private/confidential) and protected based on asset value, asset location, asset risk and sensitivity (e.g., SSN). Remember that some assets are more sensitive than others. By assigning classes/levels of sensitivity to information resources, organizations lay the foundation on which they can determine the security and access controls for each information asset.
Privacy Impact Analysis/Assessment (PIA)
An effective tool to avoid privacy issues by determining risks and processes that are the result of collecting, maintaining and distributing PII in electronic environment. A PIA concerns mainly three company’s aspects: technology, processes, and people. It ensures accountability for privacy issues and understanding privacy risks and availability of options to mitigate them.
Security Awareness Training
All personnel should undergo security training, which is, in essence, signed knowledge of security policy. Frequent training equals better odds to fight off malicious attempts to damage the integrity of your information systems.
This covers controls to protect assets, agreement on controls, legal and regulatory requirements, and safe data-disposal practices exercised by third parties.
Security Incident Response Policy
Check the procedures in place: who should deal with a potential incident? Is it a designated employee, a manager, a group of people such as CERT or CSIRT, a third party? Consider damage control measures, time to recovery, IR review mechanisms, and so on.
The standard procedure consists of several stages: planning/preparation, detection, initiation, recording, evaluation, containment, eradication, escalation, response, recovery, closure, reporting, post-incident review and lessons learned.
This concludes Part 1 of this article series on best practices for information asset protection. Our next installment will cover the implementation and monitoring of security controls, including network security, testing techniques and remote access controls. Thanks for reading.