Where should you start when considering Information Security?

Ron's comment asking "if it's all about risk why do we call it Information Risk Management" has certainly made me think...

It's all very well for "security thinkers" to tell you all about all kinds of weird and wonderful threats to your information and "security vendors" to tell you that their "UberAntiDoodarThreatNeutraliser" will rid you of them but where should you start? What practical steps can you take now to improve your security posture?

Whatever it is that makes you money the chances are that it relies upon decisions being made based on information. The mandate of Information Security of course is to ensure that accurate information is available as quickly as possible. As I typed the last line I nearly included "...to the right people" but of course that's part of the role of Information Security 🙂

What information is valuable to your business? Many people question whether their business has information worth stealing. I've often heard "we just make widgets, we're not a bank or government, who'd bother attacking us?"


WHO you sell WHAT to and HOW much you charge is likely to be of interest to your competitors and those who may wish to enter the market. The names of the highly skilled people in your company are likely to be of interest to those who may wish to recruit them to work for a rival company.

The designs of existing products and plans for future products represent high value information assets.

Believe it or not both your old designs and any fault tracking databases including help desk calls can also be highly sought after information assets that could be used by a rival to help them avoid the same mistakes as you.

All of the items listed above represent possible information assets. You need to consider the impact of such information falling into the wrong hands and use this to write (or update) your information security policy which should define WHAT SHOULD HAPPEN and identify security controls to mitigate the threats of exposure. You also need to consider the impact of information assets not being available and write (or update) your business continuity plan accordingly.

Of course there are an ever growing number of legal requirements that you'll also have to comply to including HIPPA, SOX and possibly SB1386 each of which require you to implement effective corporate governance.



Our security policy should state the ways in which information SHOULD flow into and out of our organisation. The policy should include statements specifying the security controls to be used to mitigate the RISK of information exposure. Clearly it's only worth expending a certain amount of effort (time and / or money) to protect an asset relative to it's value and the risk of it being exposed. Keeping on top of the likely threats at a point in time and the level of effectiveness of current controls relative to the threats (and the current value of the assets) is what information security is all about.

I'll drill into each of these areas in further blog posts.


Comments (7)

  1. Anonymous says:

    I came across at the weekend a really interesting article on Wserver News   The…

  2. Anonymous says:

    There are days I jump in with both feet. One of those was the day that Gordon Frazer was announced as…

  3. Anonymous says:

    I came across at the weekend a really interesting article on Wserver News   The…

  4. RonW says:

    Steve> thanks for the follow-up blog.  We often talk about risk, but don’t always say how to do it.  For those who are looking for a place to start on risk management, I recommend the Microsoft approach.  (No, I’m not Microsoft and I’m not saying this to appease anyone.)  I’ve looked at many of the methodologies out there and the Microsoft Security Risk Management Guide just makes sense.

  5. Andy McKnight says:

    Steve, you mentioned the "growing number of legal requirements" that IT/IS have to comply with.  Can you recommend any resources that IT departments can turn to for a comprehensive point of reference as to which regulations apply to what industries that makes it simpler for IT departments to know exactly what they should be complying with?

  6. Steve Lamb says:

    Andy> I’ll keep my eyes out for something but I don’t know of such a site.

Skip to main content