You are here: Home > In practice > Information Security

Information Security

In the entire world there is not one enterprise – private or public – that does not collect, merge or process data in its information system. The government collects data to calculate your pension, for example, to impose taxes correctly or to reimburse your medical costs. The company you work for collects your data to pay your salary. Supermarkets collect data about your buying behaviour using loyalty cards, so they can adapt their sales to it, …

That is why information has become a precious thing. And valuable treasures need extra security. Not so long ago, that was not really difficult. Every organization had its own isolated computer network which could easily be protected with simple measures. A good lock on the door, a properly working programme and a daily backup were enough.
But this changed very quickly. In no time, everybody became connected to everybody through the internet, and the wave of new information and communication technologies is endless. This obviously requires very different and more complex protection methods.

Not all information consists of personal data, of course. A paint producer possessing the components of an entirely new colour will guard that information with all possible means, so that it is not copied. In this document, we will especially focus on protecting information containing personal data. Since the legislator has made the protection of personal data compulsory with the Privacy Act, any person processing personal data has the duty to protect the data and make sure it is secure.

Easier said than done! How should I get started? What exactly do I need to protect and when? And what do I want to achieve with that? Simple questions, and yet they have complicated answers. For that reason, this text has been conceived as a first exploration of the wonderful world of information security. We advise any person who would like to go more into detail to consult the document " Security of personal data" (only available in French and Dutch).

Before we make plans to protect our information, we should know what "secure information" or in other words "information security" means. Now that we know how important information is to an enterprise, the good quality of the information is imperative. Erroneous information is sometimes even worse than no information at all. Let's say that the supermarket where you shop launches a campaign announcing that customers shopping on their birthday will receive a present. Unfortunately, you and a large group of other customers cannot benefit from this offer because your client data has been lost some way or another. For the supermarket this is obviously very negative publicity, and it will have to put in many efforts before it can welcome the lost customers again.

So good-quality information is correct information, which is consequently well-protected and secure. Information security can be checked using seven characteristics, also called security attributes, which will be listed next. Confidentiality: only persons having authorization can access the information; integrity: the information cannot be altered intentionally or unintentionally; availability: the information is accessible and usable whenever an authorized person has requested it; accountability: this means there is always a trace of the author and of how the information was edited; non-repudiation: proof that an operation or event actually took place, meaning that it cannot be denied now or at a later time; authenticity: thanks to this characteristic, it is certain that a person really is who he claims to be; and finally reliability: the characteristic of achieving the expected result. If your information has these seven characteristics, you can say that it is secure, good-quality information.

If the information contains personal data, the Privacy Act comes into play, with a description of additional characteristics for the information to be secure and protected. Personal data must be processed fairly and lawfully, and for specified purposes; it has to be adequate, relevant, not excessive and accurate; it has to be kept up to date and must not be kept any longer than necessary.

Other than that, every enterprise or organization has to take a number of measures to protect the data it processes. For instance, they have to notify their processing operations to the Commission, respect the rights of the data subjects, make sure that the data is always correct or delete it whenever necessary, ensure that processing operations only take place for the intended purpose, restrict access to personal data to the persons that have been given permission (authorization), protect the data as long as it exists and when somebody else is entrusted with the processing operation, this person has to take over the organization's duties and responsibilities by means of a contract.

In a nutshell, thanks to the Privacy Act we have the right to protection of our personal data, and this protection can only be ensured if certain security measures are taken.

Now that we know which conditions our information has to meet, we can draw up a policy to protect it, so that information quality can be maintained. As we have already mentioned: good-quality information is absolutely necessary if an organization wants to continue to exist.

There are several methods to ensure that information security is maintained, the one more expensive than the other. That is why imminent dangers and the measures we take against them have to be carefully balanced. If our enterprise is only confronted with smaller dangers, there is no point in taking cumbersome and very complex security measures.

Security therefore has to be well-thought through, using common sense. That is why we use a methodical approach, called risk management. First of all we find out which risks we are exposed to; then we decide which risks we will face and which risks we will accept. Next, we draw up a list with the most important and dangerous risks on top, and the risks that are meaningless to us at the bottom. With that list, we can get to work and elaborate security procedures.
Once we have introduced all measures and security systems, we have to check daily whether our security measures are actually working and whether our security rules are respected, so that we are always certain that everything is secure. This is called daily security management. If an incident still occurs, we search for its cause and we find out how it can be avoided in the future. Afterwards we adapt our security measures accordingly.

This is done using a management system, which involves permanent improvement and adaptation of security to changing circumstances and new technologies.

Now the enterprise can start to elaborate a security policy protecting our information as well as possible against all kinds of dangers.

The security policy takes into account all possible aspects that represent danger or could cause damage to our organization. All these possibilities are mapped and studied in order to choose appropriate measures.

First of all, we have to see what exactly can be endangered, in other words what the enterprise owns or what our enterprise's assets are. We then look for the dangers that threaten our assets. Those threats can be a fire or a computer crash, but they can also be unintentional human threats, for example a person leaving a confidential document on a train by accident. A person can also have the intent to harm the enterprise, for instance a burglar or an industrial spy.

We also have to take into account the weakest links or vulnerabilities of our company, which can be software that was not installed correctly or a faulty lock on the access door of a room where important information is kept. Such weak spots in our security can lead to damage. Because of a programming error, for example, a hacker can break into the system and destroy a file.

Unfortunately, there are unexpected incidents, too, such as an information system overload. Therefore, we have to try to consider possible incidents. Moreover, incidents unavoidably have consequences and their impact can sometimes be enormous. A compromised file containing data on child allowances could seriously disadvantage your family. A solution has to be found here as well.

Finally, we have to try to assess the risks our enterprise runs. We calculate the chance that a certain danger will occur at the enterprise, and we try to predict what the consequences will be. A virus could, for example, delete a file containing salary calculations for our staff, or a member of staff could give his password for the accounting file to a colleague. The consequences of both incidents can be very different.

Now that we are aware of all the elements that can endanger our enterprise, we can elaborate our security measures. For all the dangers and risks we have exposed, we look for the most convenient solution for our enterprise. We can lessen possible dangers or correct vulnerabilities by limiting the consequences. We can also actively trace possible incidents, so that we can intervene before the situation gets any worse.

Lastly there are remaining risks or residual risks, which continue to exist after security measures were introduced. These residual risks are unavoidable (e.g. human errors), but the idea is to keep them as limited as possible.
So it is an illusion to think we can exclude all risks. Even if we have the best possible security, unexpected incidents can always occur: harmful intent for example, but also human errors, natural disasters, etc. Unfortunately, these dangers usually strike unexpectedly. We have no other option than to learn to live with the risk. The only thing we can and must do, is to keep the residual risks as limited as possible. This is done differently in every enterprise, and that is also the reason why there are no ready-made models for security policies. Every enterprise will have to draw up a policy that best suits the organization.

Because wrongful use of our personal data can have an enormous influence on our lives, the Privacy Act imposes additional rules besides the aspects we have already mentioned. For instance, the controller has to determine who can access data, when and under which conditions (confidentiality of the data), as well as how the data is to be collected and who can process or modify it (integrity of the data). He will also lay down the period for access to the data and the method used to make them available (availability of the data), and finally he has to determine which evidence has to be generated (who accessed which data when).

In the past especially an enterprise's IT specialists were in charge of information security, and a number of technical measures were sufficient to protect the enterprise's information system.

But so much has changed, and there are so many new possibilities and applications that information security requires a comprehensive approach. Even though management has to take the initiative, any person who can influence one or other element of the information system has responsibilities nowadays. This is almost every person who works for the company. It is of the utmost importance that everybody actively participates in safeguarding security, every single day.
Management can do so by drawing up a policy and ensuring that the measures it introduces are actually put into practice; members of staff by acting according to those measures, for example by not disclosing unnecessary information or making sure that the door of a room where confidential information is stored is locked properly, or by not giving a personal access code to somebody else, …

For itself and for its staff, management has to elaborate a code of conduct and make its members of staff aware of it. All members of staff have to realize how important it is that they observe security rules. They have to be fully aware of the consequences of not using information with due care and according to the rules. For everyone in the entreprise, it should become second nature to observe security measures. This is the only way for a security policy to be effective.

Moreover, management also has to appoint a security counsellor for the information system. The security counsellor takes initiatives and is the driving force behind the information security policy. He is in charge of implementing the security policy. He makes proposals regarding security, determines the objectives to be achieved, guides the persons that install the security system. He examines and studies security incidents and takes improving measures. He also makes sure nobody is pressurized by two persons having opposite interests, and he is the person to talk to for all security matters. He reports directly to management and is given enough money, staff, hardware and equipment to perform his duties properly.

There are several international models and guidelines that can be useful for the elaboration of a security policy, but the Commission, too, has drawn up a model in order to help the controller protect the personal data he wishes to process: “Reference measures for the security of personal data processing”.

A security policy has to be elaborated according to a number of important principles: without security there is no good-quality information; security is a mindset; it needs to be approached consciously according to a system and with a specific purpose. Security is a management concern in the first place, but it also regards every other person working for the enterprise. Total security is an illusion. Security is never finished and has to be maintained continually. A security policy especially has to be drawn up with common sense. Several simple measures are just as effective as one complicated measure. There is danger on the inside as well: the weakest link of the security system is the human being; information and training are priorities. And when personal data are processed, the protective principles of the Privacy Act have to be included in the security policy.

If we follow all these guidelines, we can speak of a state of information security.

Also read in the lexicon: Confidentiality - integrity - availability - accountability - non-repudiation - authenticity - reliability - security measures - risk management - daily security management - management system - assets - threats - vulnerabilities - incidents - risks - residual risks