• Home
• About ASA
• e-Format
• Advertise
• Subscribe
• Previous Issues
• Career Suite
• Contact us

• March 2012 Issue
• updates
  • News - Integrated Reporting
  • News - Technical
• commentary
  • Budget: New Companies Act
  • Fullstop: On His High Horse: The Tax Element
  • Strategic CA(SA): Good Governance: What Is That?
• focus
  • Thought leadership
• analysis
  • A New Auditor Liability Regime for South Africa
  • Secondary Tax On Companies: Investment Driver?
  • Share Block: Retrospective Application
• life
  • Art: Of Magic Flutes And Millions
  • Coaching: It's A Wonderful Life: Or Is It?
  • Motoring: Mercedes C350 Coupé, VW Passat
  • Profile: Samuel Ellis Abrahams 45 YEARS IN THE PROFESSION
• report
  • Data and Profitability: Using the right Data Tools and Process
  • Data and Regulation: Compliance
  • Information Security: Are we Safe?
  • Software Innovations: Living in the Cloud
• CPD Verifiable Articles
  • Secondary Tax On Companies: Investment Driver? (30min)
  • A New Auditor Liability Regime for South Africa (30min)

“… we can never be 100% secure, there are just too many variables that will cost too much. But we can come close and, at the very least, minimise our risks while maximising the opportunities that await us.”

Information Security: Are we Safe?

Several key trends are rapidly changing the operating environment within which we do business. Global competition, tough regulatory regimes, expectations of demonstrable governance by stakeholders, changing workforce demographics and finally rapid technological innovations have a significant impact on the way we handle and share corporate information. We will find ourselves having to manage the apparent contradictions that are brought about by, for example, greater demands for customer data access for business analytics against the need to preserve customer privacy (and therefore restrict access) as mandated by law. 

Similarly, the opportunity behind access to business critical information at anytime and from anywhere, brings with it challenges in respect to the use and management of mobile devices such as laptops, smart phones or tablets which effectively render the corporate firewall redundant. And let's not forget the social networking element that is making its way into the business place, forcing us to rethink our policies in respect of employee expectations of privacy against the need to protect the enterprise. 

And what about cloud computing? Taking full advantage of the savings that cloud services bring about will require us to relinquish control over our corporate data. This coupled with the fact that that information theft continues to be one of the most common types of fraud to which companies are susceptible (Kroll Global Fraud Report, 2011/2012) compels us to take a serious look at the arrangements we have in place to secure our information assets. 

Theft of confidential information is on the rise because data is increasingly portable and perpetrators can access and remove it with relative ease. The need for ubiquitous access to business intelligence, integration of personal mobile devices into the corporate network and the opportunities associated with the extended enterprise present a target-rich environment for would-be fraudsters. We need a proactive approach in response to the complexity and volume of security threats our businesses will face.

Information Security is often considered to have three components; technology, processes and people. Traditionally, technology is seen as the key aspect of Information Security, which is not surprising, given that IT complexity is cited as the leading cause of increasing fraud exposure in most corporates (Kroll Global Fraud Report 2001/2012). But be warned, Information Security is not just an IT problem, and those who pursue a technology-only response may be disappointed. 

Processes and people are not to be overlooked when developing holistic approaches to Information Security. This implies that we consider questions beyond just the tactical, and respond with strategy and transformation in mind, as follows:

• How do we identify and measure Information Security related risks and compare them with other business risks?
• How will our organisation's business model evolve in the future, and what Information Security opportunities and risks will this present?
• How will we ensure compliance with Information Security regulations and standards without being overwhelmed?
• Does Information Security present opportunities to gain competitive advantage?
• Have we clearly identified what information is most valuable to our business and which information is most at risk?
• Have we effectively embedded good Information Security behaviours into our organisation's culture and what does this mean to the way we do business?
• Are we aware of what events may cause our business to lose its trusted status? How are these being mitigated?
• Do we understand the dependency we have on trading partners and do we have measures in place to ensure the security of information as it flows through our extended enterprise?

The key elements of a holistic approach to Information Security that will enable us to answer these questions are outlined below, which include:

• Setting direction for Information Security in the organisation – providing leadership, assigning responsibilities and formulating policies.
• Creating a sound control framework – identifying risks, defining the compliance universe, raising awareness, establishing an Information Security Management System (ISMS).
• Managing exposures – threat assessments and vulnerability scanning, documenting baseline standards and putting in effective vulnerability management practices.
• Building secure environments – incorporating secure practices into key business and IT processes, implementing sound information-leak management and information-access management strategies for the enterprise.
• Managing incidents – being able to investigate effectively and efficiently and respond to cyber attacks, internal fraud investigations and regulator queries.
• Building in resilience – having sound business continuity plans and being able to recover effectively in the event of a disaster.

Having implemented these elements - Are we safe? Well, we can never be 100% secure, there are just too many variables that will cost too much. But we can come close and, at the very least, minimise our risks while maximising the opportunities that await us. 100 years of asa

Author: Kris Budnik MSc, CIPP/IT, is head Information Security, PwC.

• Print this article
• View more articles from the 'report' section.

Latest Site Comments