Using encryption for all sensitive communication and for storing documents strengthens the defence against attacks
Trust is the cornerstone of every business and it is what businesses thrive on. Securing that trust is not an option but a business obligation—our very raison d’etra. However, it is getting increasingly tougher in the connected world where we are dealing with a multitude of environments, access devices and highly complex, sophisticated attacks.
As CISOs are we taking the right approaches to secure our business and putting the house in order? Do we have the processes, protocols and systems to ensure security of our assets? Often businesses falter when security is viewed through the prism of control via technology instead of strategic enterprise-wide approach to asset protection. Thinking through basic aspects, such as business priorities and identifying & defining assets, balancing the need for security versus ability to meet those goals, differentiated efforts to secure different categories of assets—are important considerations in an enterprise’s ability to meet security objectives.
In this digital age where data is constantly spewed, taking an all-encompassing approach to protect all enterprise data is fraught with danger as diffused efforts will expose critical data to vulnerabilities. Not all data and systems are important or equal, therefore the first step is to identify information critical to the organization, prioritize those assets and allocate budget and resources to ensure their safety.
Identifying critical assets is imperative to the success of the organization. Critical assets are all valuable assets needed to maintain financial systems, business operations or other mission-critical systems, where failure is serious enough to affect ongoing operations. These consequences make it worthwhile to have active system monitoring, such as asset control in place, to ensure that all precautions are taken to avert a disaster.
The business imperatives for a financial organization will be different from an e-commerce company, just as a social media company will have different priorities.
Organizations must work with all stakeholders to identify most critical business assets as per its priorities, categorize those assets, set up systems and processes for different categories, allocate budgets and review effectiveness of security measures.
Once assets have been identified, information assets will be easy to manage with the help of due processes and technology. Providing information handling guidelines forms the foundation of an organization’s security posture. This enables employees to adhere to due processes no sooner a document is created.
For example categorizing documents as confidential, strictly confidential and restricted will have different approaches for handling them, protocols for their access and dissemination. Measures like layered access based on who should access what information; password protection and Identity and Access Management System, ensure that information is duly protected.
Using encryption for all sensitive communication and for storing documents strengthens the defence against attacks. Even if hackers bust into the network and gain access, encrypting data that is in transit and is at rest will prevent attackers from accessing the most sensitive organizational information. Depending on the business context, sensitivity of information and communication environment, encryption can further be strengthened by using AES algorithms and Key Management. These are appropriate in cloud deployments and communicating across environments and end points.
Ideally all corporate workflow must be within a VPN set up and communication with resources and assets placed outside the network should take place using secure protocols, such as SSL.
Technology, systems and processes are enablers to achieve business objectives of securing assets. Led by the CISO identifying assets, aligning and re-aligning security objectives based on evolving organizational goals, reviewing gaps and vulnerabilities are ongoing activities that play a critical role in ensuring the survival of business.
Asset Management Systems as Risk Aversion Tools
The ultimate goal for any information security professional is to mitigate risk and avert potential threats. One should strive to maintain seamless business operations, while safeguarding all the company’s valuable assets. There are a variety of systems available to help monitor and manage assets within the modern enterprise, and so finding the right tool to take control of these systems is of paramount importance. Not only does this guarantee the safeguarding of company’s assets, but it also ensures all assets are monitored and managed if needed.
Business Value of Asset Management
Asset management systems allow for the optimization of existing equipment and infrastructure and will ensure the organization can continue to get the maximum value from their current assets. Having the right management procedures in place will also ensure that the company is able to predict upcoming requirements going into the future, while minimizing risks and potential down time.
It is for these reasons that understanding how to classify an asset is so important; it allows one to manage the company assets more efficiently, while safeguarding the company from any potential risks to the operation.
The author is Vice President - IT & Quality and CISO at Hughes Systique Corporation