A Primer to Business Information Security.
In a world where customer information and enterprise networks are under constant attack, owning and processing personal and business information requires particular attention to information security. In the case of personal information this is mandatory due to data protection legislation, in the case of business information this is critical to secure competitive advantage.
According to the ISO 27001:2013 standard, Information Security, sometimes shortened to InfoSec, is the practice of defending business information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.)
In practical terms, business owners need to be aware of the following 8 key information security goals when building, evaluating, reviewing or updating their business information systems:
The ability to hold someone personally accountable and responsible for their actions e.g. protection of an asset or set of assets. The emphasis here is on the 'someone' and the 'personally accountable'.
The ability of a system to conduct persistent, non-bypassable monitoring of all actions performed by humans or machines within the system. This component has thus two parts, firstly that any position that a system is found in should be able to be backtracked to determine how it got into that state and secondly, that an ongoing process of management review or audit should be undertaken to ensure that the systems meet all documented requirements. For example, ISO-certified document retrieval and storage systems offering access and version control can help meet this requirement. Auditability and Accountability are particularly important for publicly traded businesses which have to be compliant with the Sarbanes-Oxley Act, HIPAA or SEC.
- Authenticity & Trustworthiness
The ability of a system to verify identity and establish trust in a third party and in information it provides.
Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who are authorised to use them. Hereby it is important to consider that when cloud systems and services are used to ensure availability, attention needs to be paid to the European Data Protection Directive and the International Safe Harbor Privacy Principles.
Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner appropriate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.; Hereby letting employees, partners, and customers sign a Non-Disclosure Agreement shall be seen as the minimal action. Far more important is establishing clarity among parties on what constitutes confidential information, and an organisational culture that values confidentiality.
A system should ensure completeness, accuracy and absence of unauthorised modifications in all its components. Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term 'integrity' is used frequently when considering information security as it represents one of the primary indicators of information security (or lack of it). The integrity of data is not only whether the data is correct, but whether it can be trusted and relied upon; Accountability, Auditability and Availability (as explained before) are key enablers to achieve Integrity.
The ability of a system to prove (with legal validity) occurrence / non-occurrence of an event or participation / non-participation of a party in an event.
A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). Here again, attention needs to be paid to the European Data Protection Directive and the International Safe Harbor Privacy Principles.
For example, assuming a user never reveals his / her digital certificate (Confidentiality), and that e-commerce systems employ strong cryptographic algorithms for access control (Authenticity & Trustworthiness, Accountability, Auditability) towards highly-Available backend-systems that are designed to assure Privacy and Integrity, it is possible to implement secure e-commerce transactions that fulfill the Non-Repudiation principle.
- By employing the information security principles of Accountability, Auditability, Authenticity & Trustworthiness, Availability, Confidentiality, Integrity, Non-repudiation and Privacy, a business can reliably secure customer data, business information and assure legally compliant operation.