Home > Blog > A simple approach to protecting your information: Part 5

A simple approach to protecting your information: Part 5

Introduction

The approach outlined so far in this series on information security consists of four questions as follows:

  1. What is your most valuable and sensitive information?
  2. Where is this information?
  3. Where should this information be?
  4. What information security goal do you seek to achieve?

These questions will help you prioritise information, reduce the attack surface, and determine the goal for the security measures you will implement. The fifth and final question is:

  1. What security measures will contribute to achieving the identified goal?

Measures

Information security measures broadly fall into three categories:

  1. Paper. Policies, procedures, and guidelines.
  2. People. Roles, responsibilities, and practices.
  3. Tech. Requirements and implementation.

It is essential that for each of your most valuable and sensitive information assets, a combination of measures across all three categories are considered. Further, the measures must be complementary and mutually reinforcing. If measures are considered in isolation, they may be contradictory or conflict with each other and risk undermining your security goals.

A real-world example of potentially conflicting measures is an organisation that adopts the paper measure of a policy prohibiting the use of end-to-end encryption in order to ensure the availability of information if a team member leaves, while at the same time requiring staff to implement tech measures to protect the confidentiality of communications between devices even if the service provider is compromised.

Paper

Paper measures consist of high-level policies and more-detailed procedures for how information should be managed. They may also include guidelines or other advice that supplements the official policies and procedures.

A practical way to start the drafting process is to start with a bottom-up approach. This begins with capturing what is currently being done in practice by team members and the tech that they are using for the highest-priority information. Once this is known, it can be made official without change or you can introduce sustainable and incremental improvements to produce the first version. Procedures identified in this way can be promoted to policies once they are deemed to sufficiently achieve the identified goal.

While policies tend to require a more-involved process to update, procedures can generally be updated as long as they remain compatible with the approved policy. Nonetheless, it is important that revisions are not so frequent as to make following the procedure a moving target for team members.

People

Paper is not reality, it requires people to implement it. A practical way to begin is in a top-down fashion. At a minimum, the executive director will have overall responsibility for security of the organisation’s information; however, they are unlikely to have the capacity, experience, and expertise to manage this on a day-to-day basis. Delegation is therefore key.

The day-to-day responsibility can be delegated to a particular role. This does not make the person in that role responsible for the organisation’s information security, but rather they will implement policy and ensure that procedures are followed, for example. They may further delegate to other roles, such as programme managers or designated information owners. Delegation at any level should be accompanied by a clear articulation of the resources available and any reporting requirements (such as compliance failures).

In a perfect world, people would implement all policies and procedures and fulfil all the responsibilities of their role. Unfortunately, reality is not like this. Looking at what people actually do in practice with respect to information is essential. Note, team members failing to comply with policy or making mistakes implementing procedures may be an indication that some elements are impractical or unsuitable. So, rather than disciplinary action, a compliance failure may be better handled through a review of the paper measures, for example.

Tech

The role of technology in modern NGOs tends to be driven by features. But rather than starting with the features of potential devices and services, and then trying to secure them afterwards, you should instead start with your requirements. These requirements should encompass both the functions you need and the desired security properties. Only when you have fully specified your requirements should you consider the appropriate implementation (i.e. the device or service that you might use). Note that some implementations may have features that go beyond your requirements, and the information security risks of these will need to be considered – just because you do not use a feature does not mean adversaries will not if it allows them to achieve their goals.

For example, you may need to communicate and receive information from a colleague in real time. This rules out email, but phone calls, SMS, video conferencing, and instant messaging would meet this requirement. However, you may also need to communicate this information confidentially. This further rules out phone calls and SMS, but video conferencing and instant messaging services that correctly implement end-to-end encryption might meet your needs. You can then explore specific services in light of further requirements, such as cost or ease of use.

In the above example, the requirements for the communication service are real time, end-to-end encrypted, cost effective, and easy to use; however, not all of these requirements may be possible with the services (implementations) available in the market, and you may need to consider which factors are the most important or whether multiple technologies and an adjustment of procedures can compensate. (Note that these requirements are inadequate because they only deal with information in motion, and do not consider the security of the information in use on devices and at rest when the devices are off.)

Conclusion

Once you have determined the most-appropriate paper, people, and tech measures to achieve your security goals, you should record them in a priority queue. This simple list can be used to prioritise the roll out of measures in light of the available resources (time and funds), and to keep track of what is completed, in progress, and yet to do.

For organisations who do not know how to begin improving their information security, this series of articles provides both a place to start and a systematic approach to tackling this difficult topic going forward. Without knowing what your most valuable and sensitive information is, how can you be confident that you are securing it? Without knowing where it is and where it should be, how can you be confident that you have put measures in the right places and at the right time? Without knowing the goal of your information security measures, how can you know if you have achieved it or are undermining it? And without prioritising and resourcing specific security measures, how will you properly protect your valuable and sensitive information?

This approach is very different to digital security, which focuses on the implementation of general – usually tech-based – measures. Digital security is essential to information security but it is not sufficient. The information security approach is risk based and more complex, but this complexity is there for a good reason: it is designed to stop adversaries compromising your valuable and sensitive information!