Nowadays WikiLeaks is a hot story for a simple reason - it is not very common for confidential documents of world's most powerful federal to be published on the web and. And some of these docs is, to put it calmly, embarrassing.
Here I cannot write about whether this is legal for WikiLeaks to write such information or loads of cash, whether the information intended as made public because of public interest or even if it's just, what is going to take place to its founder (at the time of this accomplishment Julian Assange was locally custody) etc.
The problem is - if WikiLeaks is usually shut down, a new WikiLeaks will look. In other words, the specter of leaking information to individuals is constantly increasing. (By the way, before he was imprisoned, Julian Assange had announced he previously publish incriminating information with a major U. S. bank and is defined as malpractice. )
I want to results here on the corporate rate - what if we are the next target within the mortgage WikiLeaks or its identical copy? How to ensure protection of our information and steer clear of the damage with this large incident?
Simple example
But might information security look as with practice? Let's take effortless example - for scenario, you leave your laptop frequently collision coverage, on the back seat. Chances are, sooner or later this would get stolen.
What does one do to decrease which has been risk? First of everyone of, you can make a guide (by writing a procedure and also policy) that laptops cannot be left in a car unattended, or that you must park a car where a helpful physical protection exists. Moment, you can protect info by setting a vibrant password and encrypting the knowledge. Further, you can require the employees to sign a statement by which they are legally responsible by the damage that may happens. But all these comes in at may remain ineffective if you notice didn't explain the suggestions for your employees through a basic training.
So what would you conclude from this as for instance? Information security is virtually no single security measure, its more of them only. And the measures are not only seen IT-related, but also call for organizational issues, human ideas management, physical security versus legal protection.
The problem is - this was one particualr single laptop, with which has no insider threat. Now consider how complex it is to protect the information inside of company, where the information is archived as well as your PCs, but so on various servers; with your desk drawers it is equally on all your telephones; not only on USB memory sticks however in the heads of rest of employees. And you can have a very disgruntled employee.
Seems in impossible task? Difficult as high as yes, but not tiring.
How to approach it
What be certain that solve this complex problem is a framework. The good news could be the such frameworks already exist in regards to standards - mostly recognized is ISO 27001, top international standard for content material material material security management, but there are also others - COBIT, NIST SP 900 series, PCI DSS and many others.
I'm going to awareness here on ISO 27001 - I think it gives you good ground for building this great article security system because it includes a catalogue of 133 username and password controls, and offers flexibility to apply only those controls that are really needed with regards to risks. But its best feature that may be defines a management base for controlling and directing the security issues, therefore achieving that security management becomes section of the overall management in a business.
In short - therefore standard enables you to think all the information in forms, all the dilemmas, and gives you a road to carefully resolve each potential problem as well as your information safe.
Consequences with regard to their business
So, should the corporations stress that their information will leak contained in the public? If they accomplish something illegal or disreputable, they certainly should.
However, for companies operating legally, if they would like to protect their business, they cannot think only by return on investment, share of the market, core competence, and approaching vision. Their strategy must also take into account the security issues, since having insecure advice can cost them above for example a failed launch of a new product. By security I mean not only physical security because it is simply not enough any additional - the technology makes it possible for information to leak through a various means.
What is needed has to be comprehensive approach to information security - regardless of whether you use ISO 27001, COBIT or additional framework, as long as you're doing so systematically. And it there isn't really one-time effort, it has to be continuous operation. And yes - it's just not something your IT guys do alone - it's something the whole company has to participate in, starting from the governance board.
.
No comments:
Post a Comment