Where to Start for protecting your key company informations ?
12/04/13 15:47
Today the market environment is very competitive and challenging. Using and understanding advanced technologies is vital to stay in the race to increase affairs and certainly amplify the operations. To serve and support a competitive advantage, adopting the current technology available such as cloud computing might help your organisation to optimize their IT cost and operation efficiency.
Currently, a lot of article and material have been addressed the advantages and disadvantage of cloud computing services. What is mostly retained in the press is that cloud computing provide a fast, flexible, highly automated, increase storage and less costly alternative solution to traditional IT outsourcing.
Based on this new trend, recurrent question emerged from Chief Information Officer (CIO), Chief Security Officer (CSO) and IT manager: How do providers ensure information security, specifically in the data protection area in a cloud computer environment?
It is a matter of fact that cloud computing is not bringing a new threat or risk but addressed key and vital questions of Information security: What, where and how do organisation protect their important data?
They are some evidences that now companies are embracing data protection more seriously and are more respectful toward this, but a lot of works still need to be done by some others. We can identify three types of company categories:
Firstly, a negative impact on the brand image can occurs when for example in case of data loss such as hacking, data leak for critical data like customer information will need to be communicated to all customers and explained what happened.
The case of Sheffield-based A4e was fined £60,000 due to a loss of an unencrypted laptop containing details of twenty-four thousands (24’000) of people. Their customer loses their confidence.
The second negative impact is in loss of revenue. The illustration of Sony customer personal information hacked last May 2011. The company had revised their earning statement estimated that the costs of these attacks may reach over $170 million.
How can we address these data protection risks with a systemic approach?
One of the most management and efficient tool used is the Deming wheel. This will help the manager to analyze and measure identified source of variation that cause products to deviate from a specific requirement. Having a continuous monitoring increase the quality in the service and assure compliance.
PLAN
Several steps are required to understand what regulatory and local law inquiry:
DO
Launch one or several pilots (in serial or in parallel). This will allow your organisation to understand the risks and difficulties before carrying out at large scale.
CHECK
In order to understand if the project of the pilot reflects what has been designed in the “PLAN” section, assign a stakeholder who will assess the efficacy of the implementation by engaging an audit and review.
ACT
All outstanding weaknesses identified in the previous completion of the project implementation shall be studied and cured.
Following the size of the organisation, deploying such architecture has his challenges and they might become exponential and the implementation should be prudently conceived.
In conclusion, Data protection and security is a challenging topic and several methodologies are available in the market to tackle it, such as COBIT, ISO 27001, Management_of_Risks, NIST but most importantly the Deming wheel as an iterative management method.
The Information Security officer (ISO) is a key function inside the organisation which can provide a very broad and deep knowledge about how the data flow (location of sensitive data) is used in the company. In addition to the Deming wheel, the following suggestion approach will support your quest for being more secure and compliant in data protection:
Ensure that your company recognized the risks of handling of personal data and has made the necessary due care to this problem. This can be approach by a Risk Assessment, such as:
It is important to address this key topic in your organisation back on track, avoiding unnecessary fine and protect your revenue as well as brand image.
We hope that you enjoyed it.
Currently, a lot of article and material have been addressed the advantages and disadvantage of cloud computing services. What is mostly retained in the press is that cloud computing provide a fast, flexible, highly automated, increase storage and less costly alternative solution to traditional IT outsourcing.
Based on this new trend, recurrent question emerged from Chief Information Officer (CIO), Chief Security Officer (CSO) and IT manager: How do providers ensure information security, specifically in the data protection area in a cloud computer environment?
It is a matter of fact that cloud computing is not bringing a new threat or risk but addressed key and vital questions of Information security: What, where and how do organisation protect their important data?
They are some evidences that now companies are embracing data protection more seriously and are more respectful toward this, but a lot of works still need to be done by some others. We can identify three types of company categories:
- Companies doing nothing
- Companies reacting based on an event (data breach, data leakage, hacking, etc.)
- Companies (more and more) understanding data protection more intently and engage inside the organisation with a systemic approach ensuring data security protection is in place and effective.
- It is important to highlight that for companies that avoid practicing the data security protection might face several negative impact such as more importantly brand damage image and loss of revenue.
Firstly, a negative impact on the brand image can occurs when for example in case of data loss such as hacking, data leak for critical data like customer information will need to be communicated to all customers and explained what happened.
The case of Sheffield-based A4e was fined £60,000 due to a loss of an unencrypted laptop containing details of twenty-four thousands (24’000) of people. Their customer loses their confidence.
The second negative impact is in loss of revenue. The illustration of Sony customer personal information hacked last May 2011. The company had revised their earning statement estimated that the costs of these attacks may reach over $170 million.
How can we address these data protection risks with a systemic approach?
One of the most management and efficient tool used is the Deming wheel. This will help the manager to analyze and measure identified source of variation that cause products to deviate from a specific requirement. Having a continuous monitoring increase the quality in the service and assure compliance.
PLAN
Several steps are required to understand what regulatory and local law inquiry:
- Browse, study the regulatory skyline. Stay informed of new coming and applicable regulations. Example of data protection law and directive:
- European Data Protection Directive 95/46/EC, (source:http://ec.europa.eu/justice/policies/privacy/index_en.htm)
- Swiss Data protection act, 235.1 (source:http://www.admin.ch/ch/e/rs/2/235.1.en.pdf)
- USA Patriot Act, (source:http://www.justice.gov/archive/ll/highlights.htm)
- German Federal Data Protection Act (the "Federal Act"), (source:http://www.bfdi.bund.de/EN/Home/homepage_node.html)
- Complete a risk assessment on the law or regulatory change (see previous Real-Times, article made by Marcel van Wort)
- Understand what the law and regulator are asking for.
DO
Launch one or several pilots (in serial or in parallel). This will allow your organisation to understand the risks and difficulties before carrying out at large scale.
CHECK
In order to understand if the project of the pilot reflects what has been designed in the “PLAN” section, assign a stakeholder who will assess the efficacy of the implementation by engaging an audit and review.
ACT
All outstanding weaknesses identified in the previous completion of the project implementation shall be studied and cured.
Following the size of the organisation, deploying such architecture has his challenges and they might become exponential and the implementation should be prudently conceived.
In conclusion, Data protection and security is a challenging topic and several methodologies are available in the market to tackle it, such as COBIT, ISO 27001, Management_of_Risks, NIST but most importantly the Deming wheel as an iterative management method.
The Information Security officer (ISO) is a key function inside the organisation which can provide a very broad and deep knowledge about how the data flow (location of sensitive data) is used in the company. In addition to the Deming wheel, the following suggestion approach will support your quest for being more secure and compliant in data protection:
Ensure that your company recognized the risks of handling of personal data and has made the necessary due care to this problem. This can be approach by a Risk Assessment, such as:
- Create, implement and enforce appropriate policies practices and procedure to avoid data protection breach
- Pay close attention to sensitive and personal data
- Follow the guidance of your regulatory bodies in applying their code of practice
- Resolve all unknown issue in your servers hosting critical data
- Finally, the new rule in data protection in Germany had increased interest in enforcing the data security protection from the authorities and companies will need to comply.
It is important to address this key topic in your organisation back on track, avoiding unnecessary fine and protect your revenue as well as brand image.
We hope that you enjoyed it.