Information is the critical asset that is protected by an Information Security Management System. This particular section of an ISMS is the one that will have greatest influence on the number of measures and the level of detail in policies. It is also the area of the ISMS that is most likely to become extremely complex, depending on the type of information and the environment that is used by an organisation, including its customer base. Some of this will become clear (?) in the details described below.
Policies in this area generally begin by identifying who in the organisation needs access to certain types of information, usually aided by assigning different classifications to information. This is especially true if there is a requirement to observe a government compliance regime regarding security.
With the two key aspects of ‘Need to Know’ and ‘Classification of Information’ defined, a number of policies and guidelines can be constructed to define the Information Management safeguards.
The following is a suggested list of what should be included as a minimum:
- Need to Know
- Classification of Information
- Sensitive Data Definition
- Storage of Information
- Information Retention
- Exchange of Information
- Handling of Information
- Media Handling
- Sanitisation and Destruction of Information
- Clear Desk Definition
Most policies governing the management of information from a security standpoint must identify who has access to information and how that access is controlled. This starts with a fundamental assumption that only people who need access to certain information will have that access – ‘need to know’. This approach is designed to prevent accidental data ‘spillage’ by limiting visibility of information to those whose function depends on access to the data/information.
Information classification is a good way of identifying where different conditions apply, based on how sensitive the information is. It also serves as a reminder to users of information what the correct handling procedures are for different types of sensitive information.
How information is stored ‘at rest’ needs to be defined so arrangements are suitable to protect that information. Guidelines here should include how long data is retained and how it is archived, sanitised or destroyed when it is no longer needed.
Special attention must be given to how information is shared within the organisation and with partner companies, including measures to manage who can change information. This area extends to how information is protected while ‘in transit’ and/or what media is used to store and transfer information and how those media are handled.
Encryption measures should be considered both for information ‘at rest’ and ‘in transit’ to strengthen protection where required.
All of these policies are designed to minimise the risk of unauthorised access, change and damage to information, whether deliberate or accidental. The complexity of measures implemented will depend on the type of organisation, the environment used to store and access information, the partner arrangements that are in place, whether special considerations apply for different types of data and what conditions exist that may increase the risk of exposure of information.
In addition to this, some government departments have stringent rules controlling the sanitisation or destruction of sensitive information, which will influence your safeguards and processes for Information Management in place at their partners. Similarly, legislation may dictate who can access personal information, eg customer and client details, and this too will influence the policies on Information Management.
To illustrate some of the related situations that may be affected by Information Management, the policies relating to the retention and destruction of information will influence how organisations construct their data analytics toolsets. For example, storing information on a data lake, data warehouse or similar platform will require careful attention to certain techniques like the anonymisation of information. This is especially relevant where personal information has a limit to how low it can be retained. Suitable measures must be in place to allow the removal or sanitisation of sensitive information without diluting the effectiveness of the organisation’s analytics capability.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.