By Julie Kendall
Information security is not any less important for a small business than it is for a multi-national corporation. In this two-part series, we’ll discuss small business information security basics, as well as how to assess your security needs to ensure your company or organization is appropriately protected.
Small businesses today are struggling to meet the demands of ongoing and increasingly sophisticated information security risks. As they automate their business world, their exposure to these risks expands. Unfortunately, their expertise in handling them does not.
All too often, small business owners believe if they just rely on outsourced automation services, then the need to address information security risks will be “taken care of” by these vendors.
While many vendors do have robust information security controls within their automation servicers, the responsibility to decide exactly what needs to be protected remains with the small business clients themselves. Unfortunately, these small business owners and managers are often unclear as to how to make these critical security decisions.
When it comes to information security there are three objectives you should always consider:
- Information confidentiality
- Information integrity
- Information availability
When we talk about confidentiality, what we are really saying is only those who need access to information to do their jobs should have access to it. Information integrity objectives focus on ensuring the information hasn’t been tampered with or deleted by those who shouldn’t have had access to it. Finally, information availability focuses on ensuring the information is available when it’s needed.
So, how can a small business today—whose operating margins are slim and who just don’t have the resources to buy or rent sophisticated information security controls—decide on the right protections for their valuable information assets?
You should first categorize the types of information used or produced by your organization. Here are a few examples of some information types that may be associated with your business and need to be protected:
- Sensitive, private employee, or customer information like health or payroll information or customer credit card information
- Confidential business research or business plans used to determine the strategies or new product offerings for your business
- Financial information about your organization
Thinking about the types of information you want to protect is just the first step in assessing your information security needs. Next week, we will discuss more in depth the various factors to consider when deciding what kind of information you want to protect, while also taking into account how cost factors into the decision-making.
For more information or to help take control of your valuable information in a cost effective and decisive manner, email us at info@kaipartners.com.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.