What Are the Mechanisms That Ensure Information Security?
Protecting information is not easy. It is often expensive and time consuming to do well. The security of a system relates to the time taken to implement safeguards and their cost. Highly secure information systems take significant time and expense to create. Alternatively, if an organization wants to implement secure systems quickly, it must be prepared to spend money. If it wants to keep time and money costs low, it must be prepared for lower security.
Laws and Legal Duties
Most organizations are subject to several laws. Although this text focuses on laws that affect information security, these are not the only types of laws organizations must follow. For example, they may have to follow workplace safety laws and fair labor standards. Other laws may include those dealing with equal employment opportunity, hazardous materials disposal, and transportation. An organization must make sure that it follows all of the laws that apply to it.
Industry sector is a term that describes a group of organizations that share a similar industry type. They often do business in the same area of the economy. In the United States, Congress enacts laws by industry sector. These laws address the protection of data used by organizations in a particular industry, such as finance or health care. Even the federal government has laws that it must follow to secure certain types of information. Some of these laws have very specific requirements.
Organizations also must follow general legal duties. For example, executives must act reasonably and in the best interest of the organization. This means they must use good judgment when making decisions for the organization.
Contracts
The action of paying someone to do work on your behalf is called outsourcing. Many organizations outsource IT functions to save money. Outsourced functions can include data center hosting, email facilities, and data storage.
NOTE
Data centers are not inexpensive. In January 2010, Facebook, a social networking application and website, announced plans to build its first data center. In 2018 the company reported that it had 15 data centers, with more planned. The company estimates that it has 2.45 billion active monthly users around the world, requiring sizable server and data storage needs.
For example, it is very expensive for organizations to build their own data center. It is often cheaper for some of them to rent equipment space in another organization’s data center.
An organization cannot avoid its legal duties by outsourcing functions. It must enter into a contract with the company to which it is outsourcing. A contract is a legal agreement between two or more parties that sets the ground rules for their relationship. The parties use a contract to define their relationship and state their obligations. Organizations must include specific security clauses and safeguards in outsourcing contacts to make sure they meet their legal obligations.
Organizational Governance
An organization’s governance documents form the basis for its information security program. These documents include:
- Policies
- Standards
- Procedures
- Guidelines
They show the organization’s vow to protect its own information and that which is entrusted to it. Policies are the top level of governance documents. A policy tells an organization how it must act and the consequences for failing to act properly. It is important for an organization’s management team to support its policies, because policies often fail without that top-level support.
NOTE
As discussed earlier in the chapter, a policy is an administrative safeguard.
Standards state the activities and actions needed to meet policy goals. They state the safeguards necessary to reduce risks and meet policy requirements. Standards do not refer to particular technologies, operating systems, or types of hardware or software.
Procedures are step-by-step checklists that explain how to meet security goals. Procedures are the lowest level of governance documents. They often are tailored to a certain type of technology. They also can be limited to the activities of specific departments, or even specific users in departments. Procedures are revised often as technology changes.
Guidelines, which are recommended actions and guides for employees, tell users about information security concerns and suggest ways to deal with them. Guidelines should be flexible for use in many situations.
Data Protection Models
One way that organizations put their governance documents into practice is by creating data protection models. In addition to following relevant laws for certain types of data, an organization might also protect data based upon its sensitivity to the organization. Not all information has the same level of sensitivity. An organization must weigh the sensitivity of information against the way in which it wants to use that information. To do this easily, an organization might choose to create data protection models to classify the different types of information it uses.
To create a data protection model, an organization first creates data classification levels. These levels serve as the basis for specifying certain types of safeguards for different categories of data. Information that would not harm the organization with its disclosure might be labeled public information. This would be the lowest classification of data and would typically have no special rules for its use.
Information that would harm the organization, its reputation, or its competitive edge if publicly disclosed might be called confidential. Another term that is often used for this type of information is restricted.
Organizations take many steps to protect this type of information. For example, they create rules that prevent unauthorized access to it. Other rules might address the sharing and storage of this information and its disposal.
NOTE
Because businesses compete for customers and money, they must distinguish themselves from their competitors. A competitive edge is the designs, blueprints, or features that make one organization’s products or services unique. Protecting competitive edge is one of the functions of information security.
An organization must carefully review its data and put it in the proper classification level. For example, if an organization has advertising materials that it freely gives to its customers, it would probably assign these materials to the “public” category. The organization has no special rules for how employees should protect this information, so employees are able to freely use, copy, and share this type of information. The organization also might have design blueprints for its products. These documents contain the secrets that make the organization’s products special. This type of material is labeled “restricted.” Employees are limited in how they can use, copy, or share this information.
Data classification is a common way to think about protecting data. The general rule for protecting information is that the more sensitive or confidential the information, the fewer people that should have access to it. Very sensitive information should have more safeguards, whereas information that is not as sensitive does not need such extensive protection.
Another part of protecting information involves reviewing security goals in the C-I-A triad. All organizations must decide which goals are most important to them. For some organizations, making sure their data is available and accurate is the most important goal. These organizations use controls that ensure that correct data is always available to their customers.
Military or government organizations may place a higher value on confidentiality and integrity goals because they value secrecy and accuracy. It is usually very important to them that sensitive data not fall into the wrong hands. It is equally important that their data be correct, because key personnel rely on it when making decisions. These organizations use controls that ensure that data is accurate and protected from unauthorized access.