Welcome to the Guardian Technologies knowledge base.
How would we get started with an information centric strategy?
The initial step is to ascertain who the business sponsors are. A sponsor at the board level or near board level is imperative for success. Guardian Technologies undertakes initial discussion to scope the engagement and then will undertake a series of interviews with department managers to understand the following:
- What applications do you use mostly and how are they used within the business processes?
- What information is created and used within the department?
- What criticality (five levels) would be apportioned to the information?
- What controls are applicable?
- What measures are currently in place?
With this information, a map of applications and the information flows can be constructed, the users, access methods, controls and many other factors.
A risk profile is then generated to identify the categories of information, how it is used, where is it shared and the risk of loss. From this a plan of agreed measures can be planned to protect the critical information using process, people and technology.
What is the difference between a traditional security versus information centric?
Traditional security is based upon a set of tiers of security from perimeter, through network, endpoint and application layers and has tended to be managed by the IT department. There has been little business interaction apart from financial. For Information centric, the information lifecycle needs to be understood in conjunction with business processes to ensure that security measures do not interfere with business function. Therefore business involvement at the early stages is critical to align business needs with technical solutions which are based upon the value or criticality of the information. The only people who can assess the criticality tend to be the business and information owners.
Does GDPR relate to Information Centric Security?
Absolutely! GDPR relates to personal data and its protection. However, all organisations will have other information categories that are critical to that business. Understanding where your personal data is stored, how is it created, with who is it shared and why, are all valid activities but what about intellectual property information, financial information including PCI-DSS and strategic information about M&A activity? All information needs to be assessed for value and protected according to that value.
What is GDPR and why is it important to understand it?
GDPR is the General Data Protection Requirements that came into force across all European organisations in May 2018. It applies to all personal information or PII (Personal identifiable information) relating to European citizens and employees. PII information must be controlled and managed securely. Significant fines can be applied to PII data loss. Every company in Europe including UK are required to comply, if they wish to trade with European businesses.
What is the Information Lifecycle and why is it important?
The information Lifecycle, as the name suggests, is the cycle of information creation, use, storage, sharing and deletion. Information is constantly being created by individuals, applications, systems, etc. and it is being used for specific purposes resulting in being stored somewhere, shared with someone or something and rarely it is deleted or archived. Understanding how information lifecycles work within an organisation is important to ensure that critical information is protected at all times.
Why is protecting information so critical?
The whole security environment for organisations is changing. The traditional approach of perimeter protection is no longer viable. The perimeter security of firewalls, IDS and IPS has not worked effectively as the perimeter now extends to cloud and third parties for which traditional protection breaks down. However, an information centric approach means that flexible protection methods can be used to ensure the information is protected wherever it is used, stored or shared.
We have many security solutions in place so what can you do to enhance our security?
We can first understand what your users are doing with your information. Are they copying it, emailing it, sending it out of the organisation? From this we can help you understand what ‘normal’ activity is and what abnormal activity is. From this we can then quantify the risk to that information and put measures in place to reduce the information risk.
What is GTL’s area of expertise?
Guardian Technologies is a security provider of software, professional services and consulting. However, we focus and specialise on helping clients understand the risk to their information and developing solutions to protect it.
What to do next?
Please contact Guardian to discuss how an information centric approach can be developed in your organisation whether for GDPR or wider information protection.