Best Practices for the Protection of Information Assets, Part 1

This article series will discuss best practices for the protection of information assets, drawing from a wide array of sources. These articles are intended to be equally useful for a person studying for the CISA or any other reader interested in information security.

This first part, “Information Security Management (ISM),” will predominantly cover security procedures, policies, laws and compliance mechanisms, all of which are discussed with an eye to the needs of a decision-maker operating within an organization.

Information security management is probably the most important precondition for effective protection of information assets and privacy. There are several reasons for this. ISM:

  • Supports security awareness and education (policies, procedures, audits, videos, training simulations, updates, enforcement of security…)
  • Ensures compliance with laws, regulations and standards
  • Upholds the CIA triad (Confidentiality, Integrity and Availability)
  • Ensures protection of sensitive data

Commitment and support from the senior management based on well-defined, documented, and communicated roles and responsibilities is necessary for effective implementation of the ISM (IS security steering committee, executive management, security advisory group, CISO, CPO, asset/data/process owners, external parties, administrators, advisors, IT developers, IS auditors).

When making policies, ensure that:

  • They exist and are enforced by management
  • They are in line with the laws, regulations and privacy considerations (separation of duties is one technique that facilitates privacy among an organization’s members)
  • Logs are being collected

An information asset is a piece of information that is valuable to the organization. Examples of such information include personally-identifiable information (PII), intellectual property, trade secrets, financial information, board decisions and any other information of significant matter to the company.

Every piece of asset should be identified, evaluated, classified (e.g., public/private/confidential) and protected based on asset value, asset location, asset risk and sensitivity (e.g., SSN). Remember that some assets are more sensitive than others. (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dimitar Kostadinov. Read the original post at: