Security – ISMS – Information Management

Information Management

Requirements

Information is the critical asset that is protected by an Information Security Management System. This section of the ISMS will have greatest influence on the measures and the level of detail in policies. It is also the area that is the most complex, depending on the type of information and the environment. Some of this will become clear (?) in the details described below.

Policies in this area generally begin by identifying who in the organisation needs access to certain types of information. Then the information is generally assigned different classifications. This is especially true if there is a requirement to observe a government compliance regime regarding security.

The two key aspects of ‘Need to Know’ and ‘Classification of Information’ will define the concepts that are included in the ISMS. With these in place, policies and guidelines can be constructed to define the Information Management safeguards.

The following is a suggested list of what should be included as a minimum:

• Need to Know
• Classification of Information
• Sensitive Data Definition
• Storage of Information
• Information Retention
• Exchange of Information
• Handling of Information
• Media Handling
• Cryptography
• Sanitisation and Destruction of Information
• Clear Desk Definition

Policy Explanation

Most policies governing the management of information from a security standpoint must identify who has access to information. Also needed is definition of how that access is controlled. This starts with a fundamental assumption that only people who need access to certain information will have that access. This is the central theme of the ‘need to know’ principle. This approach is designed to prevent data ‘spillage’ by limiting visibility to those who depend on access to the information.

Information classification is a good way of identifying where different conditions apply. It is typically governed by how sensitive the information is. It also serves as a reminder to users of information what the correct handling procedures are for different information types.

How information is stored ‘at rest’ needs to be defined so arrangements are suitable to protect that information. Guidelines here should include how long data is retained and how it is archived. Also needed are guidelines on how information is sanitised or destroyed when it is no longer needed.

Special attention must be given to how information is shared within the organisation and with partner companies. This is especially important to manage who can change information. This extends to how information is protected while ‘in transit’. It includes what media is used to store and transfer information and how those media are handled.

Encryption measures should be considered both for information ‘at rest’ and ‘in transit’ to strengthen protection where required.

All of these policies are designed to minimise the risk of unauthorised access, change and damage to information, whether deliberate or accidental. The complexity of measures implemented will depend on the type of organisation. Additional factors are: the environment used to store and access, partner arrangements that are in place, special considerations for different types of data and what conditions exist that may increase the risk of exposure of information.

Some government departments have stringent rules controlling the sanitisation or destruction of sensitive information. These rules will influence your safeguards and processes for Information Management in place at their partners. Similarly, legislation may dictate who can access personal information, eg customer and client details. This too will influence the policies on Information Management.

To illustrate some of the related situations that may be affected by Information Management, the policies relating to the retention and destruction of information will influence how organisations construct their data analytics toolsets. For example, storing information on a data lake, data warehouse or similar platform will require careful attention to certain techniques like the anonymisation of information. This is especially relevant where personal information has a limit to how long it can be retained. Suitable measures must be in place to allow the removal or sanitisation of sensitive information without diluting the effectiveness of the organisation’s analytics capabilities.