« Man on train displays password | Main | OWASP Testing Guide v2 »

Scope of Information Security

There's an interesting article in the latest edition of Computers & Security Journal entitled "Information Lifecycle Security Risk Assessment: A tool for closing security gaps" by Ray Bernard. The article discusses aspects of protecting data that you might not consider as typically falling within the bounds of your information security strategy. For example:

For over a year the largest sales branch of a national company experienced a level of sales competition unheard of in any other sales office, resulting in the lowest sales closing average in the company's history. Personnel from a competing company were sneaking up to the sales team's conference room window at night, and peering through tiny slots in the window blinds to copy the daily list of hottest sales prospects from the white board--including products and anticipated sales amounts.
It's the sort of low-tech perspective that I've talked about before - see this article written on the subject a few years ago but more to the point, should information security just involve itself with electronic data assets or ALL data assets however they present themselves? Physical security (e.g access controls to buildings) certainly forms a significant part of the security assessments that I perform, and things like clear-desk policies and office shredders are pretty standard these days. The scope also extends to third parties and even their physical security. Where should it end?

Christiansen's IT Law blog suggests "Lawyers should play an active role at all levels of the information security risk assessment process, from defining the scope of the assessment and determining the legal effects of policies and procedures under assessment, through interpretation of the legal implications of an assessment to advise the officers who must decide what it means to the organization." Another approach could be to use a standard such as ISO27001 to help set the boundaries.

Within my organisation we're now designing different processes depending upon the type of vendor being assessed: so a vendor performing data hosting services will need to answer a different set of questions from a vendor providing software development. So the scope of information security is expanding all the time with boundaries well outside of the organisation.It means that our approach to security has to be flexible and able to adapt to a changing environment.

Tags:

Posted by Stuart King on February 22, 2007 9:00 PM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/4561

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on February 22, 2007 9:00 PM.

The previous post in this blog was Man on train displays password.

The next post in this blog is OWASP Testing Guide v2.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 4.1-en