Information Security Strategy
When we think about information security strategy, we are generally concerned with decisions about a.
What information we want to protect,
How much protection we are willing to provide given the information risk, budgets and resources, c.
How do we want to provide the selected level of protection, d.
How long are we going to protect the identified information, and e.
Who would be in charge of the information security strategy and protection. 2.
The security professionals are usually concerned with confidentiality, integrity and availability of the information that require our attention and protection. In general, there are two categories of information that require protection within any org; confidential information and personal information. In the world of information security, each piece of data or information is not always relevant or important enough to require our full attention and protection. In fact, we may not even care about protecting certain information if the management decides so based on their risk assessment. Even while management decides to care about protection of certain information, the degree to which protection is provided varies depending on the level of risk. In other words, an information risk assessment is required to classify any and all data within any org to determine the appropriate level of protection. Depending on the nature of the company’s business and the industry in which it operates, information security strategy, classification and level of protection will vary based on the impact to the business or as dictated by the regulations if applicable. 3.
Once a general idea of “what needs to be protected” is established, a more thorough security risk assessment is required to determine the risk level (high, medium, or low) by addressing a.
What can endanger data during the information life cycle(threat), b.
What percentage or amount of the information may be threatened
How big the damage would be (impact).
Once the risk level is determined, the information security strategy may include prioritization, level of protection and decisions on the appropriate controls to be selected for the protection. What information should we protect?
An adequate information security strategy would require a decision on what information to protect How much protection is enough?
Once we identify the information described above, the information security strategy must be concerned about data classification and the level of protection. Such decisions are made within by management as each piece of information may have a different level of importance. Information security approach
Now that information is identified and importance or risk levels are defined for our business information, we need to think about how we want to protect the selected information. An information security strategy may include balanced implementation of some or all controls related to physical access, system access, authorization and approval of access to information based on business need, background checks, sharing with outside parties, information flow within operations, data retention, backup and recovery, security education and awareness training. How long are we going to protect?
Every piece of critical information that stays alive and in circulation for an unnecessary length of time contributes to additional risk and identity theft. In fact, every piece of information that is unnecessarily collected or created (duplicate spreadsheets and files) as part of the operations and kept alive for unnecessary length of time contributes to the overall risks. The information security strategy must consider needs and legal requirements when deciding how long to keep each piece of information Who should protect?
Every one is responsible for information protection within any company. Information security group - has...
Please join StudyMode to read the full document