As the IT professional in a small or medium-size business (SMB), your company depends on you to protect its network and other vital information assets from harm. In a small or medium-sized business, you may be the only technical support, or you may be the leader of a small group of technicians. Regardless, there never seems to be enough time in the day to get everything done.
One of the most critical aspects of your position is to protect your company’s vital information. One of the most fundamental concepts in protecting an information system is the security triad: Confidentiality, Integrity, and Availability, often referred to as CIA. Confidentiality applies to ensuring that only persons properly authorized have access to private and proprietary information. Integrity means to protect data from unauthorized alteration or damage. Availability means that information is accessible when required.
Each leg of the triad is critical to protecting your company’s most vital asset its information.
Before planning a strategy to protect your assets, you must determine the information assets to protect. When creating your risk assessment, you should include the benefit derived from the information, the estimated time to recreate the information is lost, the negative impact of data loss or corruption, any regulatory requirements, and the estimated value of the information to external parties. In your role as the systems administrator, you will not be able to determine the answers to most of these questions; therefore, you should work with the business managers responsible for the information (information owners) to complete the risk assessment.
Once the risk assessments are complete, you can plan the appropriate level of security, redundancy, and recoverability for nearly any situation. This is where you start to work with the information security triad.
Each information system in your company may include data that is either proprietary or private. This information can range from the social security numbers in your Human Resources system to the bank account numbers and balances in the accounting database. This information may cover company-owned patents, internal business processes or financial projections. Regardless, if it is proprietary or private, you are responsible for ensuring that unauthorized users do not gain access.