Tom Overman

Certified Information Systems Security Professional (CISSP)
Information Systems Security Management Professional (ISSMP)

 

 

Information Security (INFOSEC) Assessments


Home Accounting Business Software INFOSEC Photography Real Estate


A broad approach to Information Security (INFOSEC) and Business Continuity Planning (BCP)

Information Security is more than network security.

BCP can't happen until you have a good understanding of the information you need to maintain your business.

Securing your network is important, but it's not the whole story.  What information does your company create?  What information do you manage for others, such as your customers or your suppliers?  How much internal information do you or your employees e-mail to non-company e-mail addresses?

A holistic Information Security assessment involves helping you gain a good understanding of the information created and managed within your organization.  This knowledge is critical before you can make the right decisions about how to protect that information.

Three main areas are discussed:

Availability:
How accessible is your information?  What information do you need at your fingertips, and what information is it OK to have in boxes in the back room or off-line computer backup tapes?  You probably want the customer service address readily available.  On the other hand, you may not need to spend your IT dollars on an image storage library just so you can quickly access a copy of an invoice received three years ago.

Confidentiality
What information should be kept confidential, and from whom?  Some information, such as salary and performance reviews, is just for managers. Different types of financial data need differing levels of protection.  Customer information and product information need to be understood in the context of your business in order to determine how to protect it.  There is no single solution that meets the needs of all businesses.

Integrity
How accurate is the information?  Of course you want it to be 100% accurate.  But who can access and update information? What processes are in place to validate information before it is updated?  How many places do your IT systems store the same information?  If some piece of data is stored in multiple systems, which one is the master?  Are the other systems automatically updated when the Master Data is updated?  These questions can apply whether you are considering CAD drawings of your engineering products, or the mailing address for a customer.

Why ask these questions?  Because the answers impact how much you need to spend on technology systems and business processes to meet your own business requirements.

After the assessment
: As the INFOSEC assessment is done, we work together to determine what measures are needed to protect your information.  These will certainly involve network security, but they don't stop there.  The success of your Information Security effort also depends on your people.  Helping all of your employees understand the sensitivity of internal information, and how to protect it, is at least as important as installing an effective firewall.

Tom Overman is a Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP) and is certified as an Adjunct Faculty Member of the National Security Agency's National Cryptologic School.  In addition, he has over 20 years experience in telecommunications, data networks,  business process management, and program management.

Are your employees receiving scam email about helping transfer millions of dollars from Nigeria and other countries?

 



1
Home Accounting Business Software INFOSEC Photography Real Estate
Send email to tom@overman.biz with questions or comments about this web site.
Copyright 2006
Last modified: Wednesday, February 01, 2006