Don't Implement Information Security Measures Aimlessly

     With all the hoopla about the various recent data breaches organizations may be rushing into planning and implementing additional security measures in an effort to prevent their organization from becoming the next major data breach victim.  Their intentions are good; however, before they go rushing into implementing additional security measures they should really ask themselves if the perceived risk is critical enough to warrant implementing additional information security measures.  I say perceived risk because many of those organizations may be implementing measures based off their or someone else’s best judgment.

     Organizations should not be implementing information security measures based on a hunch or best guess.  Doing so could result in wasted resources and actual information security issues not being addressed.  Instead organizations should be making informed decisions on how to address risk.  Making an informed decision will greatly enhance resource management and ensure the security issues creating the most risk are addressed before the low risk security issues.

      The best way to ensure an organization’s senior management has the information required to make an informed decision is to conduct a risk assessment.  In all actuality, organizations should have a risk management program that conducts regular risk assessments.  If they don’t have one then they should consider implementing one immediately.  Regardless of having or not having a risk management program, an organization should base their information security decisions off of the finding in a risk assessment.

      There are many different methods that could be used to conduct a risk assessment.  A risk management team can use an industry accepted or peer reviewed method such as the Factor Analysis of Information Risk (FAIR), the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Information Systems Audit and Control Association’s (ISACA) Risk IT Framework, International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27005, etc.  Using an industry accepted or peer reviewed method will give the organization’s senior management assurance that they are looking at an accurate depiction of the organization’s risk and give them the ability to make an informed decision on how to address it.

      Information security is an issue on the minds’ of many organizations.  Since it is a concern many may be haphazardly implanting information security measures and wasting valuable resources, time, and money.  To prevent the unnecessary waste, organizations should implement a risk management program, if not already done, and conduct routine risk assessments.  The informed decisions made from the information provided in a risk assessment will ensure resources are properly allocated and reduce the chances of the organization experiencing a data breach or other information security related scams.