By Julie Kendall
This is the first in a four-part series from our Information Security expert about creating an Information Security Management System (ISMS). We hope the information will be of value to you as you look towards creating your own ISMS. Today’s post contains some background and initial information on Information Security. In Parts 2, 3, and 4, we’ll get into more detail about ISO 27001 framework and what it takes to implement a successful ISMS framework.
How important is the confidentiality, integrity, and availability of your information, and/or information entrusted to you by third parties and to your ability to achieve your business goals? If you said ‘very,’ then how sure are you those valuable information assets are well-protected from loss or damage?
Even with all the publicity today related to information security breaches experienced by major corporations (e.g., Target, JP Morgan Chase, Bank of America, TJ Maxx, Home Depot), many still believe if they only implement a network firewall and ensure anti-virus software is installed on all employee workstations their valuable information is protected. We all know that just isn’t enough control over such a valuable asset.
Symantec research noted the top three causes for data breaches during 2013 were:
- Hackers
- Data accidentally made public
- Theft or loss of a computer drive
552 million identities were breached in 2013 as well, marking 493% increase in one year alone. Corporations spent in excess of $24 billion to correct client information breaches. During their 2013 Website Vulnerability Assessment Service Scan, Symantec found 77% of the public corporate websites scanned had security vulnerabilities that if exploited would result in information loss or damage.
Many companies today could not afford an information breach. In some states within the USA, monetary penalties must be paid to each client impacted by information loss, which contributed to the average cost of those breaches of approximately $188 per record lost for companies in 2013 alone, according to Symantec surveys. Considering the average number of records lost due to a security breach during 2013 was over 1,000,000, the costs for NOT implementing an effective Information Security Management System (ISMS) framework can be significant.
Now that we’ve set the foundation, stay tuned for next time, when we’ll discuss exactly why an ISMS is important to your business.
For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email at info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.
Great insight. Eager to see the rest of the series, Julie!