At IWCO Direct, we have a great responsibility to protect our clients’ information assets. In fact, this responsibility is a key driver of everything our security team does, from achieving certifications to ensuring we have the right security policies in place. While IWCO Direct is certainly concerned with protecting our own information, many of our security initiatives are driven by the ever-evolving requirements of our clients. When they get better, we get better.
The first step in protecting an organization’s assets is to identify them, assess any risks to their security, and define appropriate protection controls and responsibilities. An asset is anything which has measurable value to the organization, though an asset’s value may not necessarily be monetary. Assets can include information, software, equipment, services, people, and even reputation.
Sorting, Securing, Protecting, Updating, and Managing Information
Security professionals use two general toolkits to determine information access: Asset Management (which covers classification, definition, and handling of information) and Access Control (which can limit information access to need-to-know parties). Communication is the basis that ties these disciplines together, helping us sort information before deciding who needs to access it.
An information classification hierarchy structures access to data based on its criticality and importance. Think about how government agencies classify data from “unclassified” to “classified” to “top secret”: the general idea is to be able to identify which assets represent no risk and are suitable for sharing with the public, which assets should be kept internal, and which assets require the strictest protection with the least access given.
A great foundation for maintaining tight, up-to-date information access and protecting data in any organization is the principle of “least privilege,” which means providing only the minimum access necessary to complete a required task. According to least privilege, access must be generally forbidden unless expressly permitted. In business terms, this means giving employees only the information they need to do their jobs.
As complementary strategies, hierarchies and the principle of least privilege ensure that security teams can maintain structures with minimal gaps and maximum flexibility based on periodic entitlement reviews. This process helps us support the philosophy of least privilege and enhances our data protection efforts by confirming that people or parties who don’t need certain information aren’t authorized to access it. Conversely, it helps us make sure that any access an individual does have is still needed.
Is Your Marketing Partner Taking Data Protection Seriously?
If any of this information makes you curious about your marketing partner’s data protection policies, ask them to define how seriously they take the protection of your data. Do they have an information classification scheme? If they do, do they consider your data worthy of the highest classification and the strongest protection? If so, challenge them to demonstrate it. Where, how, and why is your data stored? Do only necessary individuals have access to it, supporting the principle of least privilege?
At IWCO Direct, our clients’ data is considered the most important information to protect. In a time of major data breaches and mishandled information, our clients’ data security is in the spotlight—and with the help of strong structures and processes, we stay prepared to protect it.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.