Effective Solutions Through Partnership

Category Archives: Risk Assessment

Why you Should Perform a Small Business Information Security Risk Assessment: Part 2

Best Practices, Cyber Security, Information Security, Information Technology, Risk Assessment, Small Business, Technology

Small Business Information Security

By Julie Kendall

Last week, we discussed small business information security basics and provided tips for categorizing the types of business information that you may want to keep protected. Now we’ll delve further into deciding what kind of information you may want to protect, and looking at how cost factors into the decision-making process.

Once you’ve identified all of your organization’s information types—those pieces of information you want to keep protected—the next step is to categorize to top priorities for your business. This means deciding which information type would hurt your business most if it was lost, stolen, or incorrect should something go wrong. As part of this assessment, you should filter your information types through the three primary information security objectives of confidentiality, integrity, and availability. As part of your assessment, you should also identify where each high priority type of information is stored, whether it’s stored manually or in various automated systems.

The final step is one of estimating potential costs to the business if bad things happen to your important business information. Think about the information used in/by your organization, and consider issues for each type of information where the following may occur: a) data is released inappropriately, b) data is modified badly, or c) data is just plain missing for some reason. Some cost categories may include the following:

  • Cost to verify information accuracy and completeness
  • Cost of lost availability—how long can you last in business without the information?
  • Cost of lost work
  • Legal costs
  • Costs to repair a problem
  • Fines and penalties
  • Reputational or loss of trust in your business
  • Other costs like special notifications to your customers about the incident

There may be additional costs particular to your business to consider but this will help you get started to identifying the cost of an information security incident to your business by type of information impacted. The reason to conduct this type of exposure analysis is to help you decide on whether to protect or not protect information types based an estimated total cost to your business.

Conducting an assessment of your information security needs is the first step in creating an information security plan. KAI Partners, Inc. can help you complete these assessments in just one day. Email us at info@kaipartners.com to get more information or to help take control of your valuable information in a cost effective and decisive manner.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

Why you Should Perform a Small Business Information Security Risk Assessment: Part 1

Best Practices, Cyber Security, Information Security, Information Technology, Risk Assessment, Small Business, Technology

Small Business Information Security

By Julie Kendall

Information security is not any less important for a small business than it is for a multi-national corporation. In this two-part series, we’ll discuss small business information security basics, as well as how to assess your security needs to ensure your company or organization is appropriately protected.

Small businesses today are struggling to meet the demands of ongoing and increasingly sophisticated information security risks. As they automate their business world, their exposure to these risks expands. Unfortunately, their expertise in handling them does not.

All too often, small business owners believe if they just rely on outsourced automation services, then the need to address information security risks will be “taken care of” by these vendors.

While many vendors do have robust information security controls within their automation servicers, the responsibility to decide exactly what needs to be protected remains with the small business clients themselves. Unfortunately, these small business owners and managers are often unclear as to how to make these critical security decisions.

When it comes to information security there are three objectives you should always consider:

  1. Information confidentiality
  2. Information integrity
  3. Information availability

When we talk about confidentiality, what we are really saying is only those who need access to information to do their jobs should have access to it. Information integrity objectives focus on ensuring the information hasn’t been tampered with or deleted by those who shouldn’t have had access to it. Finally, information availability focuses on ensuring the information is available when it’s needed.

So, how can a small business today—whose operating margins are slim and who just don’t have the resources to buy or rent sophisticated information security controls—decide on the right protections for their valuable information assets?

You should first categorize the types of information used or produced by your organization. Here are a few examples of some information types that may be associated with your business and need to be protected:

  • Sensitive, private employee, or customer information like health or payroll information or customer credit card information
  • Confidential business research or business plans used to determine the strategies or new product offerings for your business
  • Financial information about your organization

Thinking about the types of information you want to protect is just the first step in assessing your information security needs. Next week, we will discuss more in depth the various factors to consider when deciding what kind of information you want to protect, while also taking into account how cost factors into the decision-making.

For more information or to help take control of your valuable information in a cost effective and decisive manner, email us at info@kaipartners.com.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

« previous page