I closed part II of this post with a series of assumptions in order to move the discussion forward and ended with asking a rhetorical question of what should be done to protect and control information. In some cases the answer is very little. This may seem like apostasy for someone whose career has been in information security but stringent controls on information can be just as damaging as too little. The strictest policies I ever seen on email and web usage were a local government bureaucracy, not exactly a hot bed of original thinking.
So in the management of information we have paradox, a sort of Laffer curve of information security. Paradox is a well known characteristic of complex systems and multivalued logic. Slow is fast, low risk is high risk, total knowledge is uncertainty etc. Think of the ‘wall’ between intelligence and law enforcement assets that existed prior to 9/11 here in the US. When we encounter paradox it provides an opportunity for original thinking between periods of grinding our teeth. How long did Zeno’s paradoxes stand before they were solved by Newton/Leibniz with the creation of calculus*?
Information security wouldn’t be necessary if people could be trusted. The only reason to spend money on security is to control, contain, or stop the damage of malicious people. Information stored in database management systems are easy to control, however, other information in the form of instant messaging, spreadsheets, emails, word processing documents are far more difficult. There are content management solutions, digital rights solutions, IM gateways and the like. How often do you find them utilized? Frequently, it is used piecemeal, a knee jerk response to a consistent minor problem. Despite this massive army of technical solutions, you rarely find a cohesive, integrated deployment of the technologies in the corporate landscape. From this result we can draw one of the following conclusions, the risk is so low it makes no sense to spend the money, we are aware of the risk and impact but don’t believe it will happen, or we are uninformed, that is, ignorant of the risk. It is difficult to convince some one to take measures against a risk that only happens once every 10 years. Anti-virus software wasn’t deployed in a lot of companies until email viruses took down their systems with regularity. If I give you a paper cut everyday, you won’t wait too long to take action against me but If I beat you in the parking lot with an ax handle once every ten years, you will be far more lax in your defensive posture despite the enormous difference in damage.
When we have information properly classified by the information owners, it is necessary to think through who the other stakeholders are, and speak to them before we start the lock down process. Who may find this information useful and valuable besides the group whom created it? What is their perspective? What of others who may wish to acquire access to this information ad hoc because they believe they can add something? Soliciting these other views allow us to make reasonable judgments about sharing and use of information. Once the foregoing is done we need to consider whether our annual expected loss and the probability we are dealing with is a regular paper cut or a body damaging beating. Here is the point we have reached:
- Identified external and internal risks across the value chain
- Prioritized the risks
- Risk processes are aligned with goal setting
- Proper task organization and structure
- Information is classified
- Annual expected loss and probabilities estimated
Now access controls can be placed on the information. If high value information is not already stored in database management systems, create the conceptual models and create the database. This gives integrity and tighter controls. Other forms of data may be stored and secured by application whether exchange offline databases, content management systems, and the like. Identity management workflows can be set to handle access requests.
Areas of beneficial research would be intelligent agents (perhaps based on the work of Stephen Thaler) for permitting temporary access using stored individual models of existing permission grants. Modeling of the dynamic systems looking for equilibrium between unrestricted and locked down information. Also better methods for creating and reducing knowledge into conceptual models and stored and queried against truly relational database management systems.
There is quite a lot of work listed in these three parts that just isn’t being done in a disciplined way, or in many cases, done at all. The majority of this work does not require heavy investments in new technologies but it does require business process realignment. Marco I hope I answered your question.
* Philosophically they may still be unresolved.