The Four Aspects of Information SecurityDavid Luyt2017-12-07T07:00:41+02:00
Data protection laws around the world generally require organisations to take appropriate and reasonable technical and organisational steps to secure personal information against loss, damage, destruction, or unlawful access or processing. But, what are technical and organisational steps? We can break each set of steps down into two aspects – giving us the four aspects of information security.
Technical steps
Technical steps relate to a particular subject or technique associated information security, namely physical and digital security. These are the things that you can buy and are often where most organisations are strongest.
Physical security
Physical security involves protecting information on equipment and premises from unauthorised physical interaction through measures that can be seen or touched, such as:
- Keeping filing cabinets locked
- Shredding paper records
- Locking office doors
- Implementing access control using key cards or biometrics
- Using video surveillance
- Hiring security personnels
Digital security
Digital security involves protecting information on systems and networks from unauthorised electronic interaction through electronic and digital measures, such as:
- Insisting on robust passwords
- Installing anti-virus software
- Having up-to-date Software
- Implementing firewalls
- Encrypting hard drives, files, and emails
- Managing mobile devices
- Hiring cybersecurity experts to conduct penetration testing
Organisational steps
Organisational steps relate to the routine functioning of your organization when it comes to information security, namely operational and administrative security. These are the things that you cannot buy (you have the develop them over time) and are often where most organisations are weakest.
Operational security
Operational security involves protecting information from operational risks inside your organisation through measures that relate to routine functions and operations, such as:
- Fostering a culture of security
- Adding messages to log on screens
- Providing in-house personnel training
- Providing external personnel training
- Monitoring workstations
- Implementing employee on-boarding and exit procedures
Administrative security
Administrative security involves protecting information from business risks outside of an organisation through measures that originate from key decision makers or formal structures, such as:
- Providing your leadership with awareness training
- Planning around security
- Drafting privacy, incident response, and information security policies
- Getting cybersecurity insurance
- Conduting due diligence of subcontractors
- Implementing audit controls
- Making business continuity arrangements
