Protect your information and your business

It is not uncommon to encounter media accounts of a data breach or loss.  The consequences are usually severe, including monetary loss and loss of confidence in the organization.  In fact, a study completed by Symantec in 2006 determined that 60% of organizations that lose their data shut down within six months of the loss.  You don’t want to find yourself in this number, but where can you begin to make a difference?

What information do you have?

In order to effectively and efficiently manage information, it is necessary to first confirm what information assets the organization has and also to identify people in the organization that “own” the information.  The owner of the information is responsible to determine who can access information and how it will be used.

What types of data do you have?

After information assets are identified, they should be classified according to their sensitivity relative to unauthorized disclosure.  For example, there may be legal or regulatory requirements that specify that certain information must be protected. There may be industry guidelines that address information protection, for example the Payment Card Industry Data Security Standard that outlines requirements to protect credit card data.  When classifying information, it helps to consider information in broad categories, for example, corporate intellectual property, human resource information, financial information, information to access systems and records (user-ids and passwords) and information that could typically be found in the public domain.

It is important not to develop too many classifications of information because such a scenario will likely become unmanageable.  Quite often, three classifications are often sufficient.  For example, information that should only be shared amongst management may be classified as restricted.  Information that is less sensitive, but should not leave the organization may be classified as confidential. Information that typically exists in the public domain may be classified as non-sensitive.

Getting started?

1. Make a list of the information: who is responsible for it? Who should have access to it?
2. Determine the different categories of information: remember, probably no more than 3 categories should be enough.

This will get you started.  Future editions of our newsletter will contain more practical tips and ideas to help you protect your information – one of your most important assets.

Contact OTUS Group to find out more about the Information Protection Health Check or take our FREE online survey to check if you need to improve how you protect your most valuable assets.

Francis Liska is a partner with OTUS Group, a team of business advisors who can help protect your assets and achieve sustainable business growth.