• Pages

  • Laresa McIntyre, CMA, MBA
    Senior Finance Executive ~
    Change Catalyst ~
    Highly-Adaptable Leader

  • Visit My Website

  • Follow Me

  • Team in Training

    Donate to fight blood cancers!!

    In addition to my professional life, I run marathons and half-marathons to raise money for the Leukemia & Lymphoma Society to help in the fight against blood cancers. Contribute to the fight by making a donation -- just click on the logo above.

Don’t Risk Your Data — Assess It

Disgruntled employees, hackers, incompetent personnel and competitors engaged in corporate espionage are all concerns for a business.  Even more concerning is what they can do to your data.  Theft, corruption, errors or complete data loss are reason enough to possibly lose some sleep at night.  This is why every business must be cognizant of the potential risks to their information.  This doesn’t just refer to financial data but also key information needed to continue being a viable entity.  Customer lists, proprietary information about products or services, and contracts that give the business a competitive advantage all fall within this group.  In order to ensure that data is safe, an information security risk assessment should be conducted at least on an annual basis.

Even before a risk assessment is conducted, the business will need to determine a set of baseline standards related to data security that it should meet.  These standards will look at things like access rights, password protocols, physical controls over equipment, policies and procedures for the business and many other items.  Once these standards are set, then the risk assessment should look at the following areas:

  • What information sources does the business have and what information comes from those sources?
  • How sensitive is each data source? Does it contain information that if breached would become a legal issue (like credit card information or employee data)?  Is it commercially important to the business?  Or is it just “run of the mill” information that if disclosed would not cause any harm?
  • What would be the business impact if the data source was compromised, lost or stolen?
  • What is the level of threat and degree of vulnerability to each data source from internal attacks, external attacks, system malfunctions, process changes or regulatory requirements?
  • What is the likelihood of an incident in each of these areas occurring?
  • What are the specific risks in each of these areas that can be identified?

On the surface, this might seem a daunting task but if you assess the top four or five data sources for the business, this will usually flush out most of the major issues.

This process is usually driven by the Internal Audit department but if your company doesn’t have one, it may be the responsibility of ensuring the assessment is done will fall to the finance & accounting department.  However, this doesn’t mean you should be the only ones involved in the assessment.  Getting input from all functional areas of the company is important.  Also, this isn’t and shouldn’t be an exercise conducted by the IT department alone.  Although our friends in IT are usually on top of what’s happening in the business from a data perspective, this assessment is more than just making sure password protocols and firewalls are in place.  The assessment speaks to the entire business process and should be treated as such.

There is also another very good reason to involve others.  It is important to get consensus from within the business about what data is most vital to ongoing operations.  Everyone thinks their information is important but in the big picture, some data sources will be heads and shoulders above the rest.  These are the data sources that need to be examined with a critical eye and it makes the process easier when everyone has agreed to this.

As the risk assessment is completed, it will highlight areas of concern and a list of things to be done to improve data security will result.  Some of these things will be IT-related but the list may also include efforts by the HR department to write up policies and update employee handbooks, or require department managers to educate their employees about new procedures.  By considering the analysis on data sensitivity, business impact, threat and vulnerability, and likelihood, this list can be prioritized to drive the work to the biggest issues first.  The end result is hopefully more secure data and a few less sleepless nights.

Advertisements

2 Responses

  1. I’m glad to see that business consultants like yourself are starting to talk about data as an asset that can be stolen, damaged, misplaced or misused .

    My company provides IT support and services to South Florida small businesses and I often feel that we are alone in the struggle to keep our client’s most important asset safe.

    Many small businesses think that a firewall, a good anti-virus program and some (mostly) decent passwords are good enough. This is not the case by far.

    Business processes are just (more?) important in the fight to keep data secure.

    For instance, this morning I was let into the side (smoking) door of “secure” plant with zero questions. Actually, they held the door open for me because my hands were full with a computer. This should not have happened.

    I could go on and on…

    Keep up the good work and love the blog.

    Adam Steinhoff
    DedicatedIT

  2. Levels of access is an important factor in information securety. The “need to know” screening and acces not only protect the data system, but also protect the confidentiality of corporate data. It sounds simple, but the are many companies that do not have levels of security or internet restrictions built into their systems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: