Scope of Information Security

There’s an interesting article in the latest edition of Computers & Security Journal entitled “Information Lifecycle Security Risk Assessment: A tool for closing security gaps” by Ray Bernard. The article discusses aspects of protecting data that you might not consider as typically falling within the bounds of your information security strategy. For example:

For over a year the largest sales branch of a national company experienced a level of sales competition unheard of in any other sales office, resulting in the lowest sales closing average in the company’s history. Personnel from a competing company were sneaking up to the sales team’s conference room window at night, and peering through tiny slots in the window blinds to copy the daily list of hottest sales prospects from the white board–including products and anticipated sales amounts.

It’s the sort of low-tech perspective that I’ve talked about before – see this article written on the subject a few years ago but more to the point, should information security just involve itself with electronic data assets or ALL data assets however they present themselves? Physical security (e.g access controls to buildings) certainly forms a significant part of the security assessments that I perform, and things like clear-desk policies and office shredders are pretty standard these days. The scope also extends to third parties and even their physical security. Where should it end?

Christiansen’s IT Law blog suggests “Lawyers should play an active role at all levels of the information security risk assessment process, from defining the scope of the assessment and determining the legal effects of policies and procedures under assessment, through interpretation of the legal implications of an assessment to advise the officers who must decide what it means to the organization.” Another approach could be to use a standard such as ISO27001 to help set the boundaries.

Within my organisation we’re now designing different processes depending upon the type of vendor being assessed: so a vendor performing data hosting services will need to answer a different set of questions from a vendor providing software development. So the scope of information security is expanding all the time with boundaries well outside of the organisation.It means that our approach to security has to be flexible and able to adapt to a changing environment.