By Julie Kendall
Last week, we discussed small business information security basics and provided tips for categorizing the types of business information that you may want to keep protected. Now we’ll delve further into deciding what kind of information you may want to protect, and looking at how cost factors into the decision-making process.
Once you’ve identified all of your organization’s information types—those pieces of information you want to keep protected—the next step is to categorize to top priorities for your business. This means deciding which information type would hurt your business most if it was lost, stolen, or incorrect should something go wrong. As part of this assessment, you should filter your information types through the three primary information security objectives of confidentiality, integrity, and availability. As part of your assessment, you should also identify where each high priority type of information is stored, whether it’s stored manually or in various automated systems.
The final step is one of estimating potential costs to the business if bad things happen to your important business information. Think about the information used in/by your organization, and consider issues for each type of information where the following may occur: a) data is released inappropriately, b) data is modified badly, or c) data is just plain missing for some reason. Some cost categories may include the following:
- Cost to verify information accuracy and completeness
- Cost of lost availability—how long can you last in business without the information?
- Cost of lost work
- Legal costs
- Costs to repair a problem
- Fines and penalties
- Reputational or loss of trust in your business
- Other costs like special notifications to your customers about the incident
There may be additional costs particular to your business to consider but this will help you get started to identifying the cost of an information security incident to your business by type of information impacted. The reason to conduct this type of exposure analysis is to help you decide on whether to protect or not protect information types based an estimated total cost to your business.
Conducting an assessment of your information security needs is the first step in creating an information security plan. KAI Partners, Inc. can help you complete these assessments in just one day. Email us at info@kaipartners.com to get more information or to help take control of your valuable information in a cost effective and decisive manner.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.