Understanding Information Security & Risk Management via @sejournal, @DrSScheuing

This edited extract is from How to Use Customer Data by Sachiko Scheuing ©2024 and reproduced with support from Kogan Page Ltd.

I person an highly confidential portion of accusation connected a peculiar expanse of paper. This A4-sized insubstantial contains a database of Christmas presents I program to springiness to my household members.

To marque definite that nary 1 gets entree to this information, I person hidden it successful my location office, successful the cupboard adjacent to my desk. There you find a chunky English dictionary.

When you unfastened the leafage wherever “Christmas” is listed, you volition find my precious list, cautiously folded into two.

But what if my children oregon my different fractional comes to look thing up successful an analogue dictionary? Arguably, the hazard is small, but I americium not taking immoderate chances. I person a concealed connection called Japanese.

My household mightiness find that portion of paper, but each they volition spot volition beryllium タータンチェックの野球帽 and 腕時計, which are fundamentally hieroglyphs to them.

Thanks to this, my household enjoys fantastic moments exchanging gifts each Christmas. Just penning astir this makes maine grin, imagining the amazed faces and a burst of laughter, surrounded by the greenish scent of the Christmas histrion and the obligatory mulled wine.

This motivates maine to conceal this highly delicate accusation adjacent more!

We volition sermon however companies and their selling section tin support their secrets, and their data, truthful that they, too, tin bring a grin to their customers’ faces.

Understanding Information Security

In immoderate games, you person this “get retired of jailhouse card.” With these cards, you tin debar missing retired connected a circular of games. What if I said GDPR has thing similar?

It is called information security.

The GDPR provisions for information information are successful enactment with the risk-based attack embedded successful law, wherever hazard is mini­mized, and much flexibility is fixed to controllers.

For instance, erstwhile regulators determine connected fines, they indispensable instrumentality information measures companies person enactment successful spot to support the information into information (see Article 83(2)c of GDPR) (legislation.gov.uk, 2016).

Say your laptop is stolen.

If it was encrypted, you bash not request to pass your customers that determination was a information breach. Not having to pass your customers saves the marque representation your selling section has been gathering for years.

That is 1 crushed wherefore information information is specified an important discipline. Many organizations person a abstracted information section and a main accusation information serviceman who heads the functional areas.

Those marketers who had information incidents published by quality outlets indispensable cognize however life-saving information colleagues tin beryllium successful times of need.

Definition Of Information Strategy

The connection information information is not recovered successful Article 4 of GDPR, the nonfiction wherever definitions are listed. Instead, the connection “security” appears successful Article 5, wherever the basal premises of the information extortion instrumentality are described.

In different words, information information is 1 of the main principles of the GDPR, “integrity and confi­dentiality.”

GDPR expects organizations to guarantee the prevention of unauthorized oregon unlawful processing, accidental loss, destruction, oregon harm of information arsenic 1 of the starting points for protecting idiosyncratic data.

TOMs indispensable beryllium implemented to this extremity truthful that the integrity and confidentiality of the information are protected (Article 5(f) GDPR) (legislation.gov.uk, 2016).

Outside Of GDPR, Information Security Is Defined As Follows

Information information is the safeguarding of accusation and accusation systems against deliberate and unintentional unauthorized access, disruption, modification, and demolition by outer oregon interior actors. (Gartner, Inc., 2023)

Information information is the technologies, policies, and practices you take to assistance you support information secure. (gov.uk, 2018)

Information security: The extortion of accusation and accusation systems from unauthorized access, use, disclosure, disruption, modification, oregon demolition successful bid to supply confidentiality, integrity, and availability. (NIST, 2023)

Approach To Information Security

Just arsenic selling professionals created strategical frameworks – 4Ps, 7Ps, 4Cs, and truthful connected – truthful the schoolhouse of accusation information strategy has travel up with frameworks: the CIA triad and the Parkerian Hexad.

CIA stands for Confidentiality, Integrity, and Availability.

Donn Parker, a information consult­ant, aboriginal expanded this model with 3 much elements, namely Utility, Authenticity, and Possession.

Below is simply a little statement of the six aspects of the Parkerian Hexad (Bosworth et al, 2009).

Availability

Availability refers to the quality of the enactment to entree data. When, for instance, determination is simply a nonaccomplishment of powerfulness and your marketers cannot entree lawsuit data, it is considered an availability problem.

The record is there, truthful it is not stolen. However, the marketer is temporarily incapable to entree the peculiar data.

Utility

Utility of the Parkerian Hexad relates to the occupation of losing the usefulness of the data. For instance, if a run manager loses the encryption cardinal to the data, the information is inactive there, and it tin beryllium accessed.

However, the information cannot beryllium utilized due to the fact that the emails needed for carrying retired an email run are encrypted truthful they are useless.

Integrity

Maintaining integrity refers to preventing unauthorized changes to the data.

For instance, if an intern of the selling section accidentally deletes the tract “purchased much than 2 items” wrong the dataset, this is an integ­rity-related information incident.

If the manager of the intern tin undo the deletion of the field, past the integrity of the information is intact.

Typically, integ­rity is maintained by assigning antithetic entree rights, specified arsenic read-only entree for interns and read-and-write entree for the selling manager.

Authenticity

Authenticity relates to the attribution of information oregon accusation to the rightful proprietor oregon the creator of that information oregon information.

Imagine a concern wherever your advertizing agency, acting arsenic your information work provider, receives a fake email which instructs them to delete each your lawsuit data.

The bureau mightiness deliberation that it is simply a genuine acquisition from your company, and executes the command. This is past an authenticity problem.

Confidentiality

When idiosyncratic unauthorized gets entree to a peculiar selling analytic file, confidentiality is being breached.

Possession

The Parkerian Hexad uses the word possession to picture situations wherever information oregon accusation is stolen.

For instance, a malevolent worker of the selling section downloads each the income interaction accusation to a mobile instrumentality and past deletes them from the network. This is simply a possession problem.

Risk Management

In summation to knowing the problems you are facing, utilizing the Parkerian Hexad, your enactment indispensable cognize the imaginable information risks for the business.

Andress suggests a utile and generic five-step hazard absorption process, for a assortment of situations (Andress, 2019).

Step 1: Identify Assets

Before your enactment tin commencement managing your selling department’s risks, you request to representation retired each information assets belonging to your selling department.

In doing so, each data, immoderate distributed successful antithetic systems oregon entrusted to work providers, indispensable beryllium accounted for.

Once this workout is completed, your selling section tin find which information files are the astir critical. RoPA, with each processes of idiosyncratic information mapped out, tin beryllium leveraged for this exercise.

Step 2: Identify Threats

For each information files and processes identified successful the erstwhile step, imaginable threats are determined. This whitethorn mean holding a brainstorming league with marketers and information and information extortion departments to spell done the information and processes 1 by one.

The Parkerian Hexad from the erstwhile conception tin beryllium a large assistance successful guiding done specified sessions. It volition besides beryllium adjuvant to place the astir captious information and processes during this exercise.

Step 3: Assess Vulnerabilities

In this step, for each data-use surfaced successful Step 2, applicable threats are identified.

In doing so, the discourse of your organization’s operation, products and services sold, vendor relations arsenic good arsenic the carnal determination of the institution premises are considered.

Step 4: Assess Vulnerabilities

In this step, the threats and vulnerabilities for each information and process are compared and assigned hazard levels.

Vulnerabilities with nary corresponding threats oregon threats with nary associated vulnerabilities volition beryllium seen arsenic not having immoderate risk.

Step 5: Mitigate Risks

For the risks that surfaced successful Step 4, measures indispensable to forestall them from occurring volition beryllium determined during this stage.

Andress identifies 3 types of controls that tin beryllium utilized for this purpose. The archetypal benignant of control, logical control, protects the IT situation for processing your lawsuit data, specified arsenic password extortion and the placing of firewalls.

The 2nd benignant of power is administrative control, which is usually deployed successful the signifier of firm information policy, which the enactment tin enforce. The past benignant of power is carnal control.

As the sanction suggests, this benignant of power protects the concern premises and makes usage of tools specified arsenic CCTV, keycard-operated doors, occurrence alarms, and backup powerfulness generators.

With the time, risks whitethorn change.

For instance, your selling section whitethorn beryllium physically relocated to a caller building, changing the carnal information needs, oregon your institution mightiness determine to migrate from a carnal server to a cloud-based hosting service, which means your lawsuit information volition person to move, too.

Both specified situations necessitate a caller circular of the hazard absorption process to footwear off.

In general, it is advisable to revisit the hazard absorption process connected a regular interval, accidental annually, to support your institution connected apical of each risks your selling department, and beyond, carry.

Approaching Risk Management With Three Lines Of Defence

Institute of Internal Auditors (IIA) established a hazard absorption exemplary called Three Lines of Defence.

The exemplary requires 3 interior roles: (1) the governing body, with oversight of the organization, (2) elder management, which takes hazard absorption actions and reports to the governing body, and (3) interior audit, which provides autarkic assurance, to enactment unneurotic and enactment arsenic robust protections to the enactment (IIA, 2020).

The elements of the Three Lines of Defence are (IIA, 2020):

First Line Of Defence

Manage risks associated with day-to-day operational activities. Senior absorption has the superior responsibility, and accent is enactment connected radical and culture.

Marketing managers’ task present is to marque definite that their section is alert of information extortion risks, including information risks, and are pursuing applicable firm policies.

Second Line Of Defence

Identify risks successful the regular concern cognition of the business. Security, information protection, and hazard absorption teams transportation retired monitoring activities.

Senior management, including the CMO, is yet accountable for this enactment of defence. A well-functioning 2nd enactment of defence requires bully practice betwixt selling and security, information protection, and hazard absorption teams.

Practically, it would mean knowing the value of operational-level auditing and providing input to the information team, adjacent erstwhile determination are different pressing deadlines and concern issues.

Third Line Of Defence

Provide autarkic assurance connected hazard absorption by assessing the archetypal and 2nd lines of defence. Independent firm interior audit teams usually person this role.

Here, too, the selling section volition beryllium asked to cooperate during audits. Assurance results reported to the governance assemblage pass the strategical concern actions for the elder absorption team.

References

• Andress, J (2019) Foundations of accusation security, No Starch Press, October 2019.
• Bosworth, S, Whyne, E and Kabay, M E (2009) Computer Security Handbook, 5th edn, Wiley, section 3: Toward a caller model for accusation security, Donn B Parker
• Gartner, Inc. (2023) Information technology: Gartner glossary, www.gartner.com/ en/information-technology/glossary/information-security (archived astatine https:// perma.cc/JP27-6CAN)
• IIA (2020) The Institute of Internal Auditors (IIA), The IIA”s Three Lines model, an update of the Three Lines of Defense, July 2020, www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-ofdefense-july-2020/three-lines-model-updated-english.pdf (archived astatine https://perma.cc/9HX7-AU4H)
• legislation.gov.uk (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016, www.legislation.gov.uk/eur/2016/679/ contents (archived astatine https://perma.cc/NVG6-PXBQ)
• NIST (2023) National Institute of Standards and Technology, US Department of Commerce, Computer Security Resource Centre, Information Technology Laboratory, Glossary, updated 28 May 2023, https://csrc.nist.gov/glossary/term/ information_security (archived astatine https://perma.cc/TE3Z-LN94); https://csrc. nist.gov/glossary/term/non_repudiation (archived astatine https://perma.cc/DJ4A- 44N2)

To work the afloat book, SEJ readers person an exclusive 25% discount codification and escaped shipping to the US and UK. Use promo codification SEJ25 astatine koganpage.com here.

More resources: 

• Google Analytics 4 Features To Prepare For Third-Party Cookie Depreciation
• What Is First-Party Data And How Do You Use It?
• Google Testing IP Proxies: What This Means & How You May Be Impacted

Featured Image: Paulo Bobita/Search Engine Journal