Sense and nonsense in security

As soon as we know which conditions our information has to meet, we can draw up a policy to protect it, so that information quality can be maintained, good-quality information being absolutely necessary for an organisation to continue to exist.

There are several methods to ensure that information security is maintained, the one more expensive than the other. That is why imminent dangers and the measures we take against them have to be carefully weighed. If our company is only confronted with smaller dangers, there is no point in taking cumbersome and very complex security measures.

Security therefore has to be well-thought through, using common sense.

 

Hence the methodical approach called risk management. First of all we find out which risks we are exposed to; then we decide which risks we will face and which risks we will accept. Next, we draw up a list with the most important and dangerous risks on top, and the risks that are meaningless to us at the bottom. With that list, we can get to work and elaborate security procedures.

Once we have introduced all measures and security systems, we have to check daily whether our security measures are actually working and whether our security rules are respected, so that we are always certain that everything is secure. This is called daily security management. If an incident still occurs, we search for its cause and we find out how it can be avoided in the future. Afterwards we adapt our security measures accordingly.

This is done using a management system, which involves permanent improvement and adaptation of security to changing circumstances and new technologies.