The introduction to ISO 27002, the de facto universal organizing standard for information security management, states that:
Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.
What is data security?
Beyond the ISO standard, it is notable that PCI DSS is a data security standard. It requires firewalls and secure storage to protect cardholder data, which must be encrypted when transmitted over open, public networks. It calls for logically and physically restricted access to cardholder data, and tracking and monitoring of access to that data. Then the Payment Card Industry Data Security Standard wraps it all in a bow by requiring an information security policy.
And yet, the person who is directly responsible for data protection is often termed the chief information security officer (CISO). Data security is so 1990s, but it is what the CISOs of our world are actually doing (which is certainly a good thing in itself). Are we simply aggrandizing the CISOs' titles, or are they not doing their job of protecting information? It would seem that the answer is a little of both, with a few more rationales attached.
Matters of definition
Both data and information are important corporate assets, so it is no more vital to secure one or the other. Following through on some basic definitions does help elucidate the difference. Information, so say Merriam-Webster, is "the communication or reception of knowledge or intelligence." Data is "information in numerical form that can be digitally transmitted or processed." At the risk of offending either Messrs. Merriam or Mr. Webster, we can conclude that data is the raw material of which knowledge and intelligence are made. It would seem, then, that protecting information has more cachet than protecting all those ones and zeroes.
More important is the mental equation that if the data is protected, then ipso facto the information must be secure as well. That mind-set is rather common and it changes the issue from an academic discussion of definitions to a very real concern as to whether information actually is protected. It does not really follow that if the raw materials are safeguarded then the finished goods must be secure as well. And, thus, questions should be asked as to what information is in a business setting; what is the value of information (as opposed to data) as a corporate asset; what protective measures should be put in place; and are they are routinely being adhered to.
The value of information
Data is a tactical asset; it is used to conduct a company's operations. Information is strategic; it is used by management to make decisions. In a different era, information was contained in handwritten notes, typewritten documents and printed reports. Today, information is more likely to be a response to a query on a personal computer screen. Now as always, information is also spoken, face to face or over telephone and video lines. And paper shall always be with us.
The security issue is recognition of the substance of the information and association of it with those authorized to receive it. This is the access control problem writ small, inasmuch as we can know what and where data is, what transactions are, and who needs them to perform their jobs without being aware of the contents of the databases and files. But to protect information, as opposed to data, we need to know what the information is. The context of real information security is content.
Information has a range of sensitivity, as does data. Plans for the holiday party are information, but not nearly so sensitive as sales figures, designated layoffs or the strategic plan. In each case, a company may or may not take an action based on what the information tells the readers. The real value of information, therefore, is derived from what is done with it. In the hands of a true decision maker it is powerful stuff; for others it may be ho-hum background or, worse, a means of undermining a decision before it is taken. Thus, getting the right information into the right hands and not the wrong ones is a matter of significant concern, both for senior executives and for the CISOs who are charged, in title if not in fact, with protecting information.
An information protection action plan
As a first step, each CISO and his lieutenants should give some thought to what they are doing to protect information, beyond data security. The beginning of security is awareness not only downward to operational personnel, but upward to executives as well. The CISO should organize an information security awareness program, not based on mass appeal with posters, emails and newsletters but a very focused campaign aimed at a small cadre at the top of the organization.
Then, the hard work: it becomes necessary to identify the paths by which information is disseminated and control their use. It may mean that certain executives will be told they will no longer be able to make certain queries or get certain reports, which is never very popular. Even more difficult will be to identify and tag the most sensitive information and restrict its distribution to a tightly defined group of individuals. There is precedent in dealing with personally identifiable information that might well be put to use here.
The least popularity-inducing step is monitoring and tracking the use of information at the top levels. Doing so may prove to be a career-limiting move for a CISO, so it is very important to generate top-level support, preferably at the CEO or board level. This in turn brings the CISOs back to awareness -- at the uppermost level -- and as long they are there, they might use the opportunity to warn against unguarded conversations on elevators. Or maybe not, for the sake of career longevity.
As to the question of whether CISOs are actually addressing the security of information, as opposed to data, the answer is clearly "no". But they should be.
Steven J. Ross, MBCP, CISSP, CISA, is founder and principle of Risk Masters Inc. Write to him at email@example.com.