The amount of information we handle on a daily basis is increasing exponentially and is becoming increasingly difficult to review. This also means that the consequences of incorrectly managing information assets become much more extensive.
Some examples where incorrect handling of information assets have had major consequences:
- Password for the to government accounts have circled onkline
- Heathrow Airport has to pay £ 120,000 in fines for poor information protection, due to a lost USB memory containing personal data.
WHAT IS INFORMATION ACCESS?
An information asset is an organization’s information-related assets that are a value and thus are worthy of protection. Examples of this could be databases, documents, applications, computers and telephones. An information asset can be of a physical or logical nature.
WHAT YOU NEED TO DO TO PROTECT YOUR INFORMATION ASSETS
In order to ensure that the management of information security assets is in line with the requirements set for each business, three main activities are needed:
- Establish a current situation, ie you know where you stand today.
- Describe a “should” position, ie where you need to be in order to live up to the requirements of the business.
- Develop a plan with activities that need to be implemented to achieve the set goals.
To know where you stand today, you need to perform an analysis in order to get a clearly defined current situation. In this analysis one should go through the following; identification of the company’s essential information assets, who owns these information assets, mapping of internal and external stakeholders, and identification of information security risks.
The scope of this analysis is partly linked to the size and complexity of the business, as well as what information security maturity exists in the business. It is important that the work on the analysis is carried out jointly between IT, operations and security functions.
To get a picture of where the business needs to be, you have to compare the current situation with where you need to be. You solve this by performing a GAP analysis, where the purpose is to identify the difference between the level of information security you need to achieve and the actual level of your information security at the time of analysis. By means of a gap analysis, you identify a possible gap between these two levels that you need to bridge by designing and implementing a number of different information security measures.
The sum of the above analyzes will give you a picture of what actions you need to plan and implement to create adequate protection regarding your information assets.
HOW DO YOU COME FURTHER?
If your organization has an information security organization, you should contact them for advice and support on how to proceed. If the organization does not have the skills or resources to carry out the information security work itself, you should seek help from an external party who has experience of this and who can help you with methods and tools that facilitate.
However, it is always important that management appoint a person responsible for the work, who is allocated resources in the form of both time and budget to be able to carry out the work.