Speaking at the recent SAS User Forum, Imraan Dawood the senior manager for IT risk at The IQ Business Group, explained the implications of security breaches and how to manage data security in future.
"Firstly, what is information security? It`s the process of ensuring the integrity, confidentiality and availability of information," states Dawood. "To understand the full importance of information security, you need to assess the implications of an information security breach."
Costs
It goes without saying information security breaches cost companies money, but more than that they can cost your reputation. Breaches often result in lawsuits, settlements, compliance penalties, reputational damage, brand damage and a loss of employee confidence. In most cases it has a negative impact on business continuity to the point where business may not be able to continue as normal for periods of time.
"If you are looking for a straight answer on the need for information security, and if you are weighing up the pros and cons, it`s just not worth the risk not managing it," states Dawood. "Every organisation needs to secure itself against information security risks and threats by employing an efficient information security programme that should consist of governance and strategy as well as management and operations initiatives."
Components
"I recognise seven major components that organisations need to implement as a foundation for an effective information security programme. See how your business measures against these and you can then assess whether you are on the right path to managing information security," he says.
1. Firstly, there is a need to establish governance and assign responsibilities and ownership for the programme. Obtaining buy-in for information security from the larger organisation is critical.
2. Set a clear information security policy. This must set the organisation`s stance towards various aspects of information security such as logical and physical security.
3. Establish information classification by applying a classification scheme for your information. This assists with identifying the sensitivity of information and assists in applying the correct security levels. It also reduces the cost of over-securing information.
4. Apply correct access management and keep track of who can access what.
5. Have incident response plans in place - you can always hope you will never have to use them but you need to know how to handle a breach if it arises. Define a chain of events and a best response scenario; it will minimise the impact of the situation if it occurs.
6. Education and training forms an important part of creating awareness among staff about information security, how to minimise risks, what not to do, and keeping security skills up-to-date.
7. Ongoing risk management is a very important part of maintaining information security. It assists with proactively identifying information risks and how to minimise them in a changing organisational environment.
"The bottom line is, a lack of attention towards information security risks is just not worth it. The impact to organisations can be substantial in terms of cost, reputation and business continuity.
"My advice is to get the basics right as it will set a solid foundation for managing information security. Take security seriously. Your information is your investment, look after it," ends Dawood.
Share