Because we work in the tech world, we just love fancy names and acronyms. So, to help out, we’ve defined a few of the terms you’ll find when considering your own Information Security – starting with what is information security?
Information Security
Security of your information and data is what we’re aiming for in general terms. Every business holds information in some form that’s critical to their operations. In today’s world where we’re hyper-aware about cybersecurity, we often think of Information Security only in terms of the confidentiality aspect and the need to protect that information from those who shouldn’t have it.
However, that’s not the only risk associated with information. There’s also the risk of data loss which can have as debilitating an effect on a business’s operations as information theft. Data loss may be as basic as a hard drive failure on a computer. Information Security means you’ve considered how you recover from that, and how your business continues to operate while that data is being recovered. In fact, can your business continue to operate if it takes days to recover data? And what would happen if you can’t recover that data?
When it comes to information theft, you may be thinking your business doesn’t hold information that’s of any real value to a third party. At the very least, every business has some intellectual property that’s theirs and theirs alone. It may define processes for how they carry out their core business. It may detail patents and technology they’ve developed. It’s all important and is what makes your business different to another.
More and more, even small businesses are collecting data (information) about many aspects of their operations. This information is often about their customers, and having that information ‘leaked’ to third parties can cause reputational damage and ill-will from those you do business with.
Sometimes this information collection extends to what is termed Personally Identifiable Information (PII) and includes critical data about a person that might allow false documentation to be created or accounts to be accessed. This information includes date of birth, driver’s license details, and Medicare number etc. There is legislation around the collection of this data that imposes certain security requirements on you.
Governance
These are the rules you use to run your business. This should include a set of policies and procedures that define every aspect of your business (in relation to Information Security) from the top (your board/executive) to the bottom. For example, can the cleaner see confidential information when mopping the floor in the middle of the night?
Risk Management
Risk Management is a process of analysing your business to identify areas of risk (in our scenario that’s information threats). This analysis applies a score to each risk which is a combination of the likelihood of that risk occurring and the impact or extent of damage if that risk does occur. From there you then define a mitigation strategy for each risk.
Compliance
Compliance is a monitoring and documentation system that allows you to prove that you are meeting all your Information Security obligations.
GRC
Governance, Risk Management and Compliance. This is our fancy term that combines all of the above – a framework that defines the Governance, Risk Management and Compliance requirements of your business. Some of those requirements will be legislated by government (for example, Mandatory Breach Notification) and some will be defined by your board/executive based on their risk appetite.
ISMS
Information Security Management System. This is the tool that comes out of the process we guide you through. The purpose of the tool is to prove your Compliance. It’s a monitoring and documentation system that allows you to demonstrate to external parties your current state and the actions you have taken to mitigate your risks.
Risk Appetite
Risk Appetite reflects the level of risk that your board or executive are comfortable in accepting. This is determined by balancing the risk score against the cost of mitigation.
For example, if our cleaner mentioned above is a family member and we determined that the likelihood of them sharing IP outside of the company was very, very low, we would have a low risk score for that scenario and any action at all to mitigate the potential issue would not be worth the cost.