Information Security Governance is a pig to get right. The
size and age of the organisation does not matter. A startup faces onerous challenges
just as large mature businesses. It is tempting to expect that the problems
scale proportionately.
At the outset a decision has to be made about how data is going to be received, what special processes will be performed on that data, how the resulting information will be used to advantage and what to do with it when it is no longer needed.
When information is produced, whether as needed to perform commerce or as a product, there must be a process to decide what labels will be attached to the item. This goes beyond confidentiality classes and declares the information’s purpose in the organisation. How is it created? Is it for Finance, HR, Facilities, Marketing? Where can it be exported? How old can it get? Is it an asset?
The answers to those questions will determine how the information is protected. There is a lot of technology to help secure data. The basic tools, many of them free, will go a long way but to do so they have to be supported with custodial procedures carried out by staff.
Those habits are difficult to establish. When the organisation is small, information security can be easily discounted as low priority. When it grows without those foundational habits, it is very difficult to track what data the organisation is running on, where it is and how best to secure it.
There are also standard approaches for getting to grips with information exposure such as asset and risk registers and many other tactics to report the state of the network and the data on it. Coordinating all these efforts is the challenge. Departments set about ordering their security efforts and run out of steam when the information is shown to be trans departmental and possibly carrying a different asset rating in different locations.
Taking the mile high view helps. Look at what the organisation takes in and what it puts out. Data and process flow diagrams will show how data meanders in and out the organisation and identify where the information crosses boundaries, where it becomes vulnerable.
Governing all these disparate efforts may be even bigger than a pig. Even if handled one leg at time, it is best to know it is a pig you’re dealing with.
Comments