Subscribe
About

Controlling critical information

Information security takes priority status as corporate data becomes increasingly difficult to protect.
By Wayne Biehn
Johannesburg, 06 Jun 2008

Today, the responsible management of a business includes observing corporate governance best practices and complying with regulatory requirements.

Corporate governance is nothing more than the good management of resources within regulatory constraints to help to sustain and grow the business.

The process of achieving corporate governance involves, among other things, applying certain systems and controls to manage a multitude of risks across all areas of business. A company's annual report is increasingly required to contain a statement that the board has examined the effectiveness of its systems and internal controls, including those of risk management.

The secure management of critical information, one of those risk-management controls, requires assurance that the risks to information that is critical to the business and to confidential company and customer information are responsibly controlled. In the pursuit of this objective, corporate governance expects organisations to provide assurances over:

* Confidentiality of data and software;
* Integrity of data and software;
* Availability of data, software and services when required;
* Compliance with external and internal regulations; and
* Proof that IT is providing value for money.

Data governance establishes the imperative that data is no longer seen as simply being a facet of IT, but rather as a corporate asset in its own right.

Powerful data

Today's primary challenge is that critical, sensitive data is now stored in digital format.

Wayne Biehn is director of products and technology at SecureData Security.

Company and customer data is an organisation's power. It is information that makes the company unique and gives it a competitive edge; it is therefore one of the most important organisational assets.

As such, the secure and responsible management of critical information is both an executive priority and a mandate of good corporate governance. Subsequently, ironclad security has become the primary quest for companies looking to protect enterprise data.

One development that is making this increasingly more difficult to achieve is the move towards greater data distribution. The breakdown of the traditional network perimeter due to greater connectivity, as well as worker mobility, are both contributing to sensitive data being taken outside the corporate network. This, in turn, is creating new vulnerabilities and data management challenges in the process.

Today's primary challenge is that critical, sensitive data is now stored in digital format. The physical access controls are now nearly redundant, and new control mechanisms have had to be established.

As corporate data becomes increasingly difficult to protect, information security is naturally taking priority status for most organisations. As subsets of corporate governance, good IT management and data governance are balancing acts. Achieving balance requires maintaining an appropriate level of control needed to ensure security and regulatory compliance while permitting sufficient access and disclosure so as to not compromise business performance and productivity.

Sensitive data

As part of daily operational business, sensitive data needs to be shared with people and systems within and without an organisation. This requires different individuals and departments to have controlled access to it. Corporate governance has heightened the responsibility for ensuring that all sensitive data is used in line with internal and external compliance, ensuring disclosure requirements are managed in accordance with these controls.

However, access controls and other security measures are also required by business so as not to excessively hinder end-user productivity, making information security a complex management challenge. The equilibrium between effective controls and business enablement is the goal.

Providing access to corporate information immediately exposes companies to the risk of data disclosure or leakage and/or data loss. However, contrary to what many believe, data loss and data leakage are not always intentional. This element adds to the overall management consideration.

One solution is to adopt an entirely new approach to data security which is to bind security to the data asset itself. The appropriate approach is to protect important corporate interests wherever they may be. This involves the dual data management capability of data location, on the one hand, and data classification on the other hand.

Understanding what a company's critical information is, what risks are associated with its disclosure or loss, and where it is located, are all essential building blocks to protecting that data. Without understanding the location of data, the traditional identity and access controls companies have invested in are almost superfluous. The data that needs protecting could, and is likely to be, held on other less secure systems.

Data discovery, as a first step, followed by securing that data, either by applying data leak prevention measures to safeguard its access and use, or by remediating the risk exposure by relocating that data from unauthorised areas of the enterprise network to secure repositories, are all proactive measures aimed at protecting the enterprise information assets throughout its lifecycle.

Given that data is not static and that unstructured corporate data, on average, typically doubles every three months, information security, at a data asset level, is a continual process requiring constant management, vigilance and attention.

* Wayne Biehn is director of products and technology at SecureData Security.

Share