A data breach can certainly be harmful to your business, and whether it is the cause of an accidental event or an intentional action, it can damage your organization’s reputation or cause financial loss. So, what does it take to protect your data?
Let’s start with basic information security – the “must-haves.” There are three components of information security to evaluate in your network and operations environment: confidentiality, integrity, and availability.
Confidentiality. Confidentiality involves the efforts of an organization to make sure data is kept secret or private. To accomplish this, access to information must be controlled to prevent the unauthorized sharing of data — whether intentional or accidental. A key component of maintaining confidentiality is making sure that people without proper authorization are prevented from accessing assets important to your business. Ask yourself:
- What information and systems are most important to you?
- Have these important assets been identified and inventoried?
- Do you know where they are and who has access?
- What information and systems might you be required to protect?
- Is access to information and systems properly maintained?
- How are information and systems protected against threats?
Integrity. Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic, accurate, and reliable. To protect the integrity of your data, you can use hashing, encryption, digital certificates, or digital signatures. These are the important questions to ask regarding integrity:
- Is data complete and accurate?
- When was the last time these data were validated?
- What change controls exist over information and systems?
- Is your change management process documented and followed?
- Is data protected throughout its life cycle?
- You must consider the integrated system of people, processes, and tools that manage the life and application and its data from concept to retirement.
Availability. Data that is kept confidential and integrity maintained is useless unless it is available to those in the organization and the customers they serve. This means that systems, networks, and applications must be functioning as they should and when they should. Ask these questions:
- Is data readily available to make business decisions?
- Are routine, secure, and tested data backup procedures in place?
- Are systems properly patched and up to date?
It is vitally important to act quickly to secure your company’s information and protect any data that has been compromised in case of a breach, but more importantly to help prevent a breach from ever happening. To support confidentiality, integrity, and availability the following must be in place:
Physical access controls. Restrict access to buildings and key IT areas coupled with monitoring.
Procedural controls. Increase security awareness, training, management oversight, and incident response.
Technical controls. Add multi-factor authentication, anti-virus/malware, and need-to-know access. Change controls.
Compliance controls. Conduct periodic assessments, impose security rules, and complete periodic security assessment audits.
If you’re unable to affirmatively answer these questions or don’t currently have an integrated information security framework in place, then don’t struggle about what to do next. Contact Rea’s Information Services team today.
By Travis Strong, CISA (Wooster, OH)