In our last article, we defined what an Information Security Program is – a plan to protect the organization’s information. We took it for granted that readers would accept the premise that information should be protected to prevent Bad Things™ from happening. Fortunately, we have been at this security thing long enough to know that it is never safe to assume things.
Let’s dive in and explore what we are protecting our information against.
The term that is used in our industry is “threats”. We protect information from threats. But what is a threat? A threat is something that could happen – an undesirable event – that can cause harm to the business by affecting its information assets. The word asset is important because information has value to the organization. Something of value is worth protecting! In the case of electronic information, we extend the definition of a threat to cover the information itself, as well as any related computer systems and networks.
There are many kinds of threats. Some threats originate outside of the organization, while others originate internally. Some are intentional acts, and others are accidental. Still more can occur randomly within the environment. Some examples are listed in the table below.
Threat Source | Internal | External |
Intentional | Employee Data Theft | Ransomware Attack |
Accidental | Employee Loses Laptop | Vendor Leaks Data |
Environmental | Burst Water Pipe | Tornado Damages Office |
The threats themselves aren’t as important as the outcomes that they can cause. It is those outcomes that impact the business, and that is ultimately what we want to protect against. Grouping the outcomes based on the type of impact that they have on the organization’s information is helpful because it allows us to start thinking about ways in which we can reduce their impact to the business by implementing safeguards.
At a high level, the outcome of a threat impacts the confidentiality, integrity, or availability of information. We refer to this as the “CIA triad”.
Confidentiality
Confidentiality is what most people think of when they think of security. Essentially, it has to do with keeping a secret a secret.
Integrity
Integrity has to do with the organization’s ability to trust that their information has not been corrupted or changed unexpectedly.
Availability
Availability has to do with the information being accessible for use by the organization when and where it is needed.
A breakdown in any one of these areas can interrupt business operations and has the potential to cause considerable financial or reputational damage to the business. It is important to note that it is common for a threat to compromise more than one component of the CIA triad at the same time, compounding the outcomes.
The effects are often magnified in a small business due to the limited resources available to respond to and correct the problems when they happen. Because of this, it is critically important that small businesses plan proactively to protect the confidentiality, integrity, and availability of their information.
Now that you know what you are protecting your information against, you are one step closer to building an Information Security Program in your organization.
Click the links at the top of the page to follow Focivity on Twitter, LinkedIn, and Facebook and let us know what you think!
Comments