Each Business is unique….just like a fingerprint

The very thing that differentiates one business from another is the very thing that makes each business unique and competitive.  Much time is spent in developing ways to differentiate a business from that of its competitors, whether the focus is on quality, service, features and benefits, or cost.  The manner in which a business is managed, its culture, and the methods by which it provides its products and services all contribute to the uniqueness of the business. All the processes found within a business, its information system, accounting procedures, marketing programs, and the manner in which it engages its clients all serve to form the “fingerprint” of a business.

If a business were to have a nerve center it would surely be its information system. It is the conduit by which all information about the activities that the business is engaged in is exchanged, recorded, and analyzed. Due to its vital position within the firm, it requires the most attention to secure and ensure that its integrity is maintained.  However, a single “every solution fits all” approach to information security is not appropriate as each business demands its own unique solution to reflect the inherent “fingerprint” of its business activities.   Developing a robust information security policy that reflects the unique requirements of each business is the first step in creating an organization wide information management platform. The key element to developing an information security policy is having a complete inventory of an organization’s information assets.  This inventory map is the data “fingerprint” that is to be used as the criteria when evaluating Managed Security Service Providers (MSSP) and cloud providers. It is critical to perform thorough capability due diligence evaluations of MSSP and cloud providers to ensure that an organization has a clear understanding of:

·         Where the line of information security responsibility lies between the organization, the MSSP, and cloud provider lies;

·         What information and applications are suitable to be hosted in a cloud environment given the business and security requirements needed;

·         What the full liability would be and with whom would it rest should an information breach occur.