Friday, October 24, 2008

Building an Information Security Program, Step One

Put firewalls everywhere!

No.

Build an Incident Response Program!

Wrong.

Write Minimum Security Baselines!

I would disagree.

Classify your data?

Ding, ding, ding...we have a winner. If you guessed option four, please move to the head of the class.

When establishing a strong information security program, your primary focus is on securing data. The first step in securing data in an organization, is to know and document what data you store, transmit and receive. After going through the process of identifying the data, the next step is to classify it.

What data is public?

What data, if lost, would cause corporate heartburn? Would the loss contribute to outside competitive advantage?

What data, if lost, would be catastrophic to daily business, and potentially cost the organization millions of dollars in recovery fees, fines, and lawsuits?

There are numerous, high-level processes to use for classifying data. Most organizations can quickly tell you in five minutes what their most critical data is. But do they know exactly where that data flows within the business, as well as externally? Usually not.

Only with data classification can you perform asset classification. If a host stores sensitive data, it's criticality to the organization is raised. You then build further security controls around this sensitive host.

Only with data classfication can you build an information incident response program. How do you effectively respond to an incident if you haven't classified and identified what data is located where? Only with data classification can you provide Service Level Agreements as PART OF the incident response program.

Everything stems from classifying your data, understanding where it flows and is stored, and then placing tactical and strategic security controls in place to mitigate or eliminate risk to the integrity or loss of data.

It's the core of all great information security programs; everything else is turn-key, so spend the appropriate amount of time and thought cycles on being thorough in this area.


Justin Leapline, Senior Consultant for SecureState's Audit & Compliance practice contributed to this posting.

Read more!