Monday, June 8, 2015

Security is a State of Mind much more than Product Selection

Information security is a systematic approach to protecting the assets of an entity - business or private.

I am deluged daily with offers of some new whiz-bang security product or service.  They offer to be "the complete and secure" tool for implementing information security.  If this is your approach to security, you need help.

First, security requires a thoughtful and well conceived approach which doesn't interfere with the performance of the business or person but does include the procedures, policies and tools needed in a complete system.  Don't misunderstand me, there are some great tools available but they need to be selected, implemented and monitored properly to offer the protection needed.

We need to understand that security is like many other aspects of IT - there are definite benefit to cost  features we need to evaluate.  Having secure data may or may not be important to you.  If it is important you will want effective and usable processes with reasonable costs based on the potential cost of lost or misplaced data.

First, determine what kinds of information need to be protected from discolure.  Consider scenarios such as these:

  • What's the potential costs of a key executive's laptop computer being stolen?
  • What happens if a Sales Manager quits and has the current customer lists on his or her laptop?
  • What kind of information about upcoming products or marketing plans would be valuable to a competitor?
( More in progress ).

Monday, May 25, 2015

How to assess your security requirements

Here's some simple steps to help you determine what needs to be secured and how to go about it.


The most important step in security is determining what needs to be secured and its exposure if not secured.  There are several categories of information that you should consider.


High Value / High Risk

Information that WILL cause harm to your business if it is made available outside the people in your company that need to see and use it.  This could be trade secret information or information that could be used against you in legal processes.


Customer records and information are also typically in this category.  Information in this category must not be made public. 


Business operation information.

Accounting data and ERP data fit into this category.  It is used by persons in the performance of specific jobs and needs to be available for the business to operate.  


Disclosure would not be damaging but loss would cause loss of business process and revenue.




Publicly Available Information.

This information is already available in the public domain but is housed on your systems to aid productivity of your people and processes.  Disclosure has very little risk and the information is easily recovered from various sources.  The primary cost of losing this information is the time required to find it in other areas.






Now consider the cost of losing information in these categories.

What is the exposure if a laptop containing legal documents or new product plans is turned over to a rival company or other hostile entity?  What could it cost? 






Who needs this information?


For each category of information determine which groups or individuals need access to it.  Who should be able to change it?  AND WHO SHOULD BE ABLE TO MAKE COPIES?