Cyber Security: Digital Information as an Asset Assets are traditionally thought of as tangible things such as money, property, machinery and so on. But increasingly, it is recognised that information itself is an asset. Digital information and data assets are anything that can be stored, processed or transmitted through digital systems. In today’s digital world, it is increasingly apparent that digital information can be the most important asset, for both businesses or individuals – think of the value of music to a media company or a games program to a video game company. It is valuable and can be lost - either by being destroyed, misplaced or stolen. Considering information as an asset makes us realise we should create strategies to protect data and minimise the consequences of any loss. Since 1990, the world has moved from one where most information existed in paper formats, to one now where the world predominately transacts it business digitally. Risk managementInformation security risk management assesses the value of information assets belonging to an individual or an organisation and, if appropriate, protects them on an ongoing basis. Information is stored, used and transmitted using various media; some information is tangible, paper for example, and it is relatively straightforward to put in place strategies to protect this information – such as locking filing cabinets, or restricting access to archives. On the other hand, some information is intangible, such as the ideas in employees’ minds, and is much harder to protect. Companies might try to secure information by making sure their employees are happy, or by legal means such as having contracts that prevent people leaving and going to work for a rival. However, note that some industries have blossomed simply because people could easily move and spread new ideas rapidly through many start-up businesses. Imperatives and incentivesInformation security risk management considers the process in terms of two factors:
The imperatives for information security arise from legislation and regulation. The Computer Misuse Act and the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (GDPR), are examples of legislative imperatives. Regulatory imperatives include standards such as the Payment Card Industry Data Security Standard (PCI-DSS), which specifies how merchants should secure all card transactions. The most important incentive is trust. The internet is fundamentally underpinned by trust, helped by technologies such as encryption and signatures to help us feel secure. People and organisations are more likely to work with other people and organisations who have secured their information. Establishing this trust requires that the parties involved examine each others’ information security practices to ensure that there are adequate safeguards to protect the information. One way of doing this is to show that the organisation has satisfied the requirements of standards such as PCI-DSS or the ISO27000 family of standards for designing and implementing information security management systems. Personal Digital AssetsAny sort of information that you store on a computer system that you use and which would be expensive, inconvenient, or impossible to replace if it was lost, damaged or stolen is a 'digital asset'. For example:
Duplicates of some of these assets could be obtained - for instance Apple would allow the download new copies of any lost music, films etc, but it would take a very long time to rebuild the entire library. E-mails and financial records could be recreated, but only by spending a lot of time asking for information from other people. Passwords could be changed and other authentication information could be recovered, but again it would take a great deal of time and inconvenience to get back to normal. Most of the photos would, sadly, be lost forever. Risk analysis can be used to help you decide on a course of action in protecting your digital information.
|
|