Maksim Kabakou - Fotolia
Many businesses have no idea about their information assets. If you have no idea what information assets you have, it is very hard to protect them.
Knowing what you have is the first step to understanding the value of the asset, and therefore accurately understanding the risk and effectively, pragmatically and cost-effectively building your security model.
In some cases, this results in overprotection, as organisations protect all assets to the highest common denominator, but in many cases it also results in key assets being wholly under-protected, which can be quite devastating if something goes wrong, especially when it results in large scale compromises of personal information.
Knowing what you have is also the first step to identifying ownership and allocating accountability, and it is vital to ensuring that you have adequate information sharing policies and data sharing agreements in place. Without all of this, you are in the dark with no hope of a candle.
If we look to the public sector, it has tried to deal with this knotty issue with the introduction of information asset owners. These are individuals who have ownership of specific information assets, can make decisions and policy on who can access and use them, and how they can be shared – and even help identify and enforce retention periods. These are then ultimately accountable to the senior information risk owner, who will sit at board level, giving us C-suite oversight of information risk.
This is a great structure because it means assets have to sit on an asset register and their handling is decided by someone who is in the best position to understand the risk – but also to benefits from their exploitation, making information ownership business-centric with real world benefits.
Let’s take it down a layer or two to data protection, as an example of how handling information assets (IA) can work. IA uses some simple principles; confidentiality, integrity and availability.
So many times, we are so focused on the C we forget the I and the A, but they are equally vital. There is no point in keeping something inaccurate under careful security, this is a complete waste of time.
Equally, we need to be clear about who has access to what to make sure those who should not be accessing data or assets are not, whilst also ensuring those who should have access do, when they need to.
So if we properly identify all of our key information assets, they include using and managing information properly, understanding the risks to how we are using it and having them documented – as well as having in place effective policies for information sharing. These are all supported by appropriate and enforced retention schedules.
More importantly, we can actually be building an IT security strategy that enables, empowers and supports our users and finally move away from the restrictive and counter-productive models that are currently so often deployed.
Finally, all of this helps to address the ogre of the GDPR because there can be no doubt that applying these principles will take you a long way towards complying with “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”, as required by Article 5(2) of the General Data Protection Regulation.