Information - lifeblood of the organisation
managing information risk
Information is an organisation’s most valuable asset. However, it is often neglected in favour of protecting material assets, maintaining cashflow and the like when considering the organisation’s long-term future. This is usually because assigning a value to information is much more difficult than valuing buildings, stock, people and the other more tangible assets in an organisation. So, just how does a small business approach managing information risk? Ian Jones takes a look at the NCC’s new certification programme, IASME.
A study by the University of Worcester shows that nearly 60% of SME businesses polled currently have no security policy in place and are ill-prepared to meet the real threats to their business information. The research also shows how businesses who fail to maintain adequate information security measures are also putting their supply chain partners at risk.
There are methods of providing assurance of the protection of information; the most prominent is certification to the international information security standard ISO27001. Unfortunately, the process to establish and certify an information security management system to the ISO27001 standard is often perceived to be too complex, too time consuming and too expensive for smaller organisations.
Smaller, dynamic businesses and organisations differ from their larger, more structured counterparts in a number of ways when considering information security provision. NCC research during the development of the IASME standard found that SMEs are, not unsurprisingly, extremely sensitive to cost, need simple processes, and prefer and thrive best with an informal culture.
Information Assurance for Small to Medium-sized Enterprises (IASME) is intended to provide the SME with an assessment and formal certification of the level of maturity of the protection of its business information that can be used to assure itself and others in accordance with their business needs. The process is based on international standards and EU guidance, and is simple, quick and cost-effective. IASME certification stands a business in good stead if it wishes to progress to certification to other standards.
What chance the small business when corporate organisations have teams dedicated to governance, risk and compliance, specialists in information and computer security, and budgets for all these? The criminal fraternity is going to have to put in some effort to cream off the saleable items posing as information. The persistent ones will remain a threat to the well defended as recent attacks on major brands have shown, but, on the whole, they will go for the easier targets…
Worse still, the resources of SMEs may be the portal through which the criminals get access to the big companies, hiding their tracks and consuming someone else’s resources. And whilst all this is going on, the small business is chasing payments, enticing customers, warding off the bank manager and coping with all the realities of staff absences. Who’s got time to become an IT expert?
Here’s a quick assessment of what’s bothering customers…their information is in your hands…
A ‘top 10’ look at what’s bothering customers. Their information in your hands…
IASME is a national programme that provides qualifying SMEs (fewer than 250 staff) with certification that has been specifically designed with the small business in mind. The programme is well grounded in international standards and has credibility and affordability built in.
How IASME works
IASME applies a balanced set of controls to all types of SME and adjusts their implementation in relation to a business risk profile. The process involves continuous assessment, starting with the initial cycle leading to the first certification, and continuing with intermediate assessments annually and re-assessment after three years.
IASME expects a set of documentation that is right-sized for you. This includes a security policy statement, a business continuity plan, and a simple senior-level endorsement and management plan. These will be individual and customised to what you do. However, if you need a starting point, IASME will give you templates to work on. The documentation shows commitment at the top level, clear accountability and responsibility, and a benchmark for your certification. Risk is assessed and your security controls are weighted in a balanced scorecard. How well you apply the security controls is measured in terms of maturity. The IASME process is documented, objective and repeatable while retaining flexibility and scalability.
Controls are the practical measures that you put in place to protect your information. Each control addresses one or more aspects of information security detection, prevention or recovery. Controls are selected based on the risk to your business and not the size of the business.
How does this relate to my business?
Good information security is an asset that is as valuable as your more tangible assets, such as your staff, hardware, software, manufacturing plant or other materials. A lack of information security is a liability for you and a risk that your customers may not want to take. Coupled with potential fines of six figures or more – on top of the damage to your reputation and the cost to sort out an incident – the financial impact can be catastrophic.
IASME will help to reassure your customers that you manage their information securely, and provide the credentials you need to form supply chains and partnerships for effective and successful business deals. And it will provide you with the framework for effective and efficient information security practices.
More details on the IASME standard can be seen at http://iasme.ncc.co.uk/
Ian Jones is head of research and content at the National Computing Centre.