Information Security For Business

What Security Do I Need?

Before deciding to install a burglar alarm in your home you carry out a security risk assessment.

You start by identifying what needs to be protected and its value to you. You then evaluate the threats that you may face from thieves or vandals.

Finally, you make a risk decision as to what you are going to do to provide appropriate protections.

A risk assessment will also be needed to provide appropriate protection for your company information.

Inadequate security measures or procedures can result in a security breach whilst too many may be unduly expensive and time-consuming.

Managers make business risk decisions as part of their daily tasks. The major objective of risk decisions is to protect the business and its assets. Security risks can be assessed in a similar way in order to protect against harmful events. A security risk assessment will enable you to invest wisely in security measures and ensure that your business needs are met.

Probably the most important stage in a risk assessment is to accurately identify the value of the asset to be protected. For example, do you know how much the information held on a portable personal computer carried by a company salesperson is really worth to the company?

In assessing the risk, you should take into account not only the cost of replacing the PC, but also of rebuilding lost information and countering any damage caused by misuse of that information.

Having identified and valued the asset, the next stage is to consider the worst-case impact.

For example, what would be the impact if the information on your salesman’s portable personal computer was not available or was inaccurate?

One of the worst-case issues that you should consider is if sensitive company information reached a competitor, the press or the public.

You need to place a value on the worst-case impact, ideally in financial terms. This provides a measure of both how important the asset is to your business and a guide to the level of protection that should be considered.

The next stage involves an assessment of likely threats, for example, theft or fire.

Using this information, you can then determine the appropriate level of security controls necessary to protect your assets.

Electronic trading means that you may also need to assess the level of risks involved in providing a computer connection to a third party. If you know what the risks are it will be easier to make information and effective decisions.

‘Computer Assurance Guidelines for the Commercial Sector‘ provides more detailed advice on security risk assessment. It also provides advice on trading partner security assurance.

Read the next part of the Information Security for Business guide – How Do I Develop My Security Policy?

1 2 3 4 5 6 7 8 9

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>