SEO
Understanding Information Security & Risk Management
This edited extract is from How to Use Customer Data by Sachiko Scheuing ©2024 and reproduced with permission from Kogan Page Ltd.
I have an extremely confidential piece of information on a particular sheet of paper. This A4-sized paper contains a list of Christmas presents I plan to give to my family members.
To make sure that no one gets access to this information, I have hidden it in my home office, in the cupboard next to my desk. There you find a chunky English dictionary.
When you open the page where “Christmas” is listed, you will find my precious list, carefully folded into two.
But what if my children or my other half comes to look something up in an analogue dictionary? Arguably, the risk is small, but I am not taking any chances. I have a secret language called Japanese.
My family might find that piece of paper, but all they will see will be タータンチェックの野球帽 and 腕時計, which are basically hieroglyphs to them.
Thanks to this, my family enjoys wonderful moments exchanging gifts every Christmas. Just writing about this makes me grin, imagining the surprised faces and a burst of laughter, surrounded by the green scent of the Christmas tree and the obligatory mulled wine.
This motivates me to conceal this highly sensitive information even more!
We will discuss how companies and their marketing department can protect their secrets, and their data, so that they, too, can bring a smile to their customers’ faces.
Understanding Information Security
In some games, you have this “get out of jail card.” With these cards, you can avoid missing out on a round of games. What if I said GDPR has something similar?
It is called data security.
The GDPR provisions for data security are in line with the risk-based approach embedded in law, where risk is minimized, and more flexibility is given to controllers.
For instance, when regulators decide on fines, they must take security measures companies have put in place to protect the data into consideration (see Article 83(2)c of GDPR) (legislation.gov.uk, 2016).
Say your laptop is stolen.
If it was encrypted, you do not need to inform your customers that there was a data breach. Not having to inform your customers saves the brand image your marketing department has been building for years.
That is one reason why data security is such an important discipline. Many organizations have a separate security department and a chief information security officer who heads the functional areas.
Those marketers who had security incidents published by news outlets must know how life-saving security colleagues can be in times of need.
Definition Of Information Strategy
The word data security is not found in Article 4 of GDPR, the article where definitions are listed. Instead, the word “security” appears in Article 5, where the basic premises of the data protection law are described.
In other words, data security is one of the main principles of the GDPR, “integrity and confidentiality.”
GDPR expects organizations to ensure the prevention of unauthorized or unlawful processing, accidental loss, destruction, or damage of data as one of the starting points for protecting personal data.
TOMs must be implemented to this end so that the integrity and confidentiality of the data are protected (Article 5(f) GDPR) (legislation.gov.uk, 2016).
Outside Of GDPR, Information Security Is Defined As Follows
Information security is the safeguarding of information and information systems against deliberate and unintentional unauthorized access, disruption, modification, and destruction by external or internal actors. (Gartner, Inc., 2023)
Information security is the technologies, policies, and practices you choose to help you keep data secure. (gov.uk, 2018)
Information security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (NIST, 2023)
Approach To Information Security
Just as marketing professionals created strategic frameworks – 4Ps, 7Ps, 4Cs, and so on – so the school of information security strategy has come up with frameworks: the CIA triad and the Parkerian Hexad.
CIA stands for Confidentiality, Integrity, and Availability.
Donn Parker, a security consultant, later expanded this framework with three more elements, namely Utility, Authenticity, and Possession.
Below is a brief description of the six aspects of the Parkerian Hexad (Bosworth et al, 2009).
Availability
Availability refers to the ability of the organization to access data. When, for instance, there is a loss of power and your marketers cannot access customer data, it is considered an availability problem.
The file is there, so it is not stolen. However, the marketer is temporarily unable to access the particular data.
Utility
Utility of the Parkerian Hexad relates to the problem of losing the usefulness of the data. For instance, if a campaign manager loses the encryption key to the data, the data is still there, and it can be accessed.
However, the data cannot be used because the emails needed for carrying out an email campaign are encrypted so they are useless.
Integrity
Maintaining integrity refers to preventing unauthorized changes to the data.
For instance, if an intern of the marketing department accidentally deletes the field “purchased more than two items” within the dataset, this is an integrity-related security incident.
If the manager of the intern can undo the deletion of the field, then the integrity of the data is intact.
Typically, integrity is maintained by assigning different access rights, such as read-only access for interns and read-and-write access for the marketing manager.
Authenticity
Authenticity relates to the attribution of data or information to the rightful owner or the creator of that data or information.
Imagine a situation where your advertising agency, acting as your data service provider, receives a fake email which instructs them to delete all your customer data.
The agency might think that it is a genuine instruction from your company, and executes the command. This is then an authenticity problem.
Confidentiality
When someone unauthorized gets access to a particular marketing analytic file, confidentiality is being breached.
Possession
The Parkerian Hexad uses the term possession to describe situations where data or information is stolen.
For instance, a malevolent employee of the marketing department downloads all the sales contact information to a mobile device and then deletes them from the network. This is a possession problem.
Risk Management
In addition to understanding the problems you are facing, using the Parkerian Hexad, your organization must know the potential security risks for the business.
Andress suggests a useful and generic five-step risk management process, for a variety of situations (Andress, 2019).
Step 1: Identify Assets
Before your organization can start managing your marketing department’s risks, you need to map out all data assets belonging to your marketing department.
In doing so, all data, some distributed in different systems or entrusted to service providers, must be accounted for.
Once this exercise is completed, your marketing department can determine which data files are the most critical. RoPA, with all processes of personal data mapped out, can be leveraged for this exercise.
Step 2: Identify Threats
For all data files and processes identified in the previous step, potential threats are determined. This may mean holding a brainstorming session with marketers and security and data protection departments to go through the data and processes one by one.
The Parkerian Hexad from the previous section can be a great help in guiding through such sessions. It will also be helpful to identify the most critical data and processes during this exercise.
Step 3: Assess Vulnerabilities
In this step, for each data-use surfaced in Step 2, relevant threats are identified.
In doing so, the context of your organization’s operation, products and services sold, vendor relations as well as the physical location of the company premises are considered.
Step 4: Assess Vulnerabilities
In this step, the threats and vulnerabilities for each data and process are compared and assigned risk levels.
Vulnerabilities with no corresponding threats or threats with no associated vulnerabilities will be seen as not having any risk.
Step 5: Mitigate Risks
For the risks that surfaced in Step 4, measures necessary to prevent them from occurring will be determined during this stage.
Andress identifies three types of controls that can be used for this purpose. The first type of control, logical control, protects the IT environment for processing your customer data, such as password protection and the placing of firewalls.
The second type of control is administrative control, which is usually deployed in the form of corporate security policy, which the organization can enforce. The last type of control is physical control.
As the name suggests, this type of control protects the business premises and makes use of tools such as CCTV, keycard-operated doors, fire alarms, and backup power generators.
With the time, risks may change.
For instance, your marketing department may be physically relocated to a new building, changing the physical security needs, or your company might decide to migrate from a physical server to a cloud-based hosting service, which means your customer data will have to move, too.
Both such situations necessitate a new round of the risk management process to kick off.
In general, it is advisable to revisit the risk management process on a regular interval, say annually, to keep your company on top of all risks your marketing department, and beyond, carry.
Approaching Risk Management With Three Lines Of Defence
Institute of Internal Auditors (IIA) established a risk management model called Three Lines of Defence.
The model requires three internal roles: (1) the governing body, with oversight of the organization, (2) senior management, which takes risk management actions and reports to the governing body, and (3) internal audit, which provides independent assurance, to work together and act as robust protections to the organization (IIA, 2020).
The elements of the Three Lines of Defence are (IIA, 2020):
First Line Of Defence
Manage risks associated with day-to-day operational activities. Senior management has the primary responsibility, and emphasis is put on people and culture.
Marketing managers’ task here is to make sure that their department is aware of data protection risks, including security risks, and are following relevant corporate policies.
Second Line Of Defence
Identify risks in the daily business operation of the business. Security, data protection, and risk management teams carry out monitoring activities.
Senior management, including the CMO, is ultimately accountable for this line of defence. A well-functioning second line of defence requires good cooperation between marketing and security, data protection, and risk management teams.
Practically, it would mean understanding the importance of operational-level auditing and providing input to the security team, even when there are other pressing deadlines and business issues.
Third Line Of Defence
Provide independent assurance on risk management by assessing the first and second lines of defence. Independent corporate internal audit teams usually have this role.
Here, too, the marketing department will be asked to cooperate during audits. Assurance results reported to the governance body inform the strategic business actions for the senior management team.
References
- Andress, J (2019) Foundations of information security, No Starch Press, October 2019.
- Bosworth, S, Whyne, E and Kabay, M E (2009) Computer Security Handbook, 5th edn, Wiley, chapter 3: Toward a new framework for information security, Donn B Parker
- Gartner, Inc. (2023) Information technology: Gartner glossary, www.gartner.com/ en/information-technology/glossary/information-security (archived at https:// perma.cc/JP27-6CAN)
- IIA (2020) The Institute of Internal Auditors (IIA), The IIA”s Three Lines model, an update of the Three Lines of Defense, July 2020, www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-ofdefense-july-2020/three-lines-model-updated-english.pdf (archived at https://perma.cc/9HX7-AU4H)
- legislation.gov.uk (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016, www.legislation.gov.uk/eur/2016/679/ contents (archived at https://perma.cc/NVG6-PXBQ)
- NIST (2023) National Institute of Standards and Technology, US Department of Commerce, Computer Security Resource Centre, Information Technology Laboratory, Glossary, updated 28 May 2023, https://csrc.nist.gov/glossary/term/ information_security (archived at https://perma.cc/TE3Z-LN94); https://csrc. nist.gov/glossary/term/non_repudiation (archived at https://perma.cc/DJ4A- 44N2)
To read the full book, SEJ readers have an exclusive 25% discount code and free shipping to the US and UK. Use promo code SEJ25 at koganpage.com here.
More resources:
Featured Image: Paulo Bobita/Search Engine Journal