Five Ways to Improve Enterprise Data Security Programs

Friday, April 22, 2011



A report released this week by Ernst & Young offers an examination of the considerations an enterprise needs to take into account when calculating the organization's risk appetite where information security issues are concerned.

"What constitutes an acceptable level of information security risk in an environment when intellectual property, personal customer information and the brand are at stake? It’s a tough decision, but one that should be made to form the foundation of a transformational information security program," the report states.

The report takes into consideration threats to the enterprise presented by mobile technology, cloud computing, social media, employee sabotage.

"By rethinking your information security strategy and using our integrated security approach, your organization can manage the right risks and drive value," the report continues.

Ernst & Young researchers offered up five fundamental keys to developing a comprehensive information security for the enterprise:

  • Define the organization’s risk appetite and risk culture. By effectively understanding an organization’s culture, you can align its potential exposure to the risk it is willing to take.
  • Identify the most important information. Placing a value on information based on the organization’s broader business strategy will enable you to prioritize the assets that matter most.
  • Assess the threat landscape. Today’s security assessments need to focus on knowing where the information resides, who has or needs access to it and how it could be compromised. Understanding how information is used helps to identify the threats against it.
  • Run through threat scenarios. Once your security team identifies the areas of risk, it is useful to run through threat scenarios. These exercises help you understand and quantify the probability of a breach occurring in each specific risk area, the size of the vulnerabilities and the level of damage a security breach could cause.
  • Determine appropriate protection mechanisms. Use the threat model that has been developed to apply controls commensurate with the level of risk.


Possibly Related Articles:
Enterprise Security
Policy Enterprise Security Headlines report Information Security Risk Appetite Ernst & Young
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.