Saturday, May 08, 2010


Ensuring information is secure in a company is challenging at the best of times. The risks are numerous and fluid. The impact of an information security breach to a company is subsequently high. Today we shall identify and outline the main information security challenges a company faces and how to deal with them.

The first common challenge is, not knowing who in the company uses what sensitive data. Not many organizations perform audits/inventories of sensitive data. An inventory should be initiated to develop a data flow map that charts sensitive data and employees who use the same. This data map will help in identifying the vulnerable points in your information infrastructure.

Another regular challenge is not protecting sensitive data appropriate to its value. Data generated and stored by any organization (or individual) has an intrinsic value. It is important for management to have a sense of the worth of sensitive data to the company. For example the recipes of a confectionary company can be considered very sensitive. It is therefore prudent to conduct a data asset valuation that evaluates and determines sensitive corporate data. It is then possible to apply justifiable information protection resources to these data.

The third challenge is the propensity of companies to embark on redundant information security compliance projects. Data security regulations are developed and implemented by various regulatory bodies for example the Communications Commission of Kenya (CCK). To reduce redundant compliance efforts it is crucial to develop a regulatory compliance grid. This grid indicates which specific data elements/databases are covered by information security regulations. The grid will facilitate the focusing of resources on protecting the really important data for example credit card data.

The final difficulty is the implementation of simple annual security awareness programs. Most companies conduct these programs to show their employees/contractors that they are serious about information security. Questionnaires are distributed; sensitization talks conducted and expansive warnings are dispensed. This is not enough. An information protection testing program should substitute these awareness programs. The main objective of protection testing programs is to test the data handling procedures and policies in the organization. Samples of employees/contractors who handle sensitive information should be targeted.

Identifying these common challenges is necessary for any information security conscious company.

1 comment:

Anonymous said...

In David Scott’s words, everyone needs to be a mini-Security Officer today. I think Mr. Scott, the author, is right: Most individuals and organizations enjoy Security largely as a matter of luck. For some free insight, check out his blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). “In the realm of risk, unmanaged possibilities become probabilities.” Great stuff.