Whether you are thinking of protecting your personal data or safeguarding business data, there are five ICT security fundamentals that you should never forget.
The first one is never forgetting who uses what sensitive data. Data is not sensitive for all people across the board. A company’s strategic five year plan may be invaluable to investors and management but is quite useless to the messenger. Developing an inventory of sensitive data and who consumes the same is critical. This inventory will allow you to segregate data accordingly.
The second fundamental relates to the previous one and is the application of resources to its value. Once you have an inventory of our sensitive data you will have to apply various resources to protect it. A return on investment valuation on the security measures you will apply to various data categories needs to be conducted. For example what types of encryption will be purchased and applied for the various levels of sensitive data you possess.
The third fundamental concerns customer data. Never forget that retaining customer data is more of a risk than a reward. Service companies that retain huge databases of their customers should be aware of the high risk they expose themselves to especially if the data is widely accessible. An example would be that unprotected server that stores all the credit card numbers that your business has ever accepted.
The fourth fundamental that should never be forgotten is that the absence of a comprehensive regulatory compliance framework exposes all of us to undue risk. Various sensitive data elements exist in any organizations database for example medical records and credit card numbers.
We are yet to locally develop an all encompassing compliance framework that caters for data elements, for example medical records, in a particular sector and data as a whole in the marketplace. The Kenya Communications (Amendment) Bill, 2008 is not s sufficient framework.
Finally, don’t forget that risk assessments tend to understate the inherent risk of sensitive data. It is not sufficient to determine whether access controls, for example, are in place. The crucial point of focus should be measuring how effective any access controls that are in place can be used against a hacking attack.
A good example is password circumvention. This is done by employees so as to get around certain controls. A risk assessment will point this out. However taking it further by implementing data protection effectiveness metric will provide greater security.