I have always pretended to be a technologist, while I hardly understand anything technical. Honest confession. However, in the past couple of years, I realized that this is rather a strength than a weakness. I am sure, most of us reading this article are also in my league. We all are good in relating technology to our businesses and make good use of it.
I have always adopted technology in my own organization prior to consulting other enterprises or my esteemed clients. Couple of years back, my organization faced a threat in Information Security, and as human nature, only then did we realize the importance and the vulnerability of our systems. Even if it were as simple as an email system, we realized that we could have compromised on its confidentiality. Furthermore, for un-automated organizations, large amounts of confidential information floats in mails and people realize their importance only in a threat situation. Identifying the importance of information is the first step towards fortifying it.
As COBIT 5 for Information Security states, “Information is a key resource for all enterprises and, from the time information is created to the moment it is destroyed, technology plays a significant role. Technology is increasingly advanced and has become pervasive in enterprises and the social, public and business environments.”
As organizations start automating their key processes, this information moves from an unstructured email communication to a more structured repository. While automation helps in reducing manual labor and thereby operational costs, it also throws open a security issue. While earlier, securing the simple email services would have sufficed, now the organization will have to secure their applications as well. The second step is in identifying in what different ways is the information vulnerable. Without knowing this we will not be able to arrive at any security solution.
The various layers in which your information security can be breached are:
- User Authentication Level
- At an Access and Privilege Granted Level
- At an Infrastructure Level
- At Database Level
- At Application Level
For many industries, a regulatory body provides comprehensive security guidelines. Take a Bank for an example, which can follow guidelines from its Central Bank, PCI and more. However, not all industry verticals have the convenience of a regulator or a guidance body, in which case, they themselves need to understand their vulnerabilities and appoint consultants to rectify them. Many times, hiring an external IT Auditor, may also provide at a small price, a very comprehensive Security report. This can become the template in fortifying your Information.
I will, in my successive posts, delve deeper in the 5 different layers of security.