What is Information?
The American Heritage Dictionary defines information as, "A collection of facts or data." Many information security officers seem to automatically treat information in this manner. It does not matter what the data is used for or who needs to know it - all data is information and all data must be protected. This approach leads to a great deal of wasted effort an confusion. Should we lock down the corporate phone directory so no social engineering hacker can use it to defraud the company? Should we keep the street addresses of all our branch offices a secret so protestors and terrorists will not know where to find us? Should we restrict access to every petabyte of data that is stored in corporate networks around the globe?
The answer lies in the other definition for information provided by the American Heritage Dictionary, "Knowledge derived from study, experience, or instruction." Knowledge is the essential element of what we must protect. The data 147-67-9042 is meaningless on its own. However, combine that data with something like, "John Doe's Social Security Number is 147-67-9042" and you have data that provides knowledge about John Doe and presents a significant danger if it fell into the wrong hands. We need to be able to determine what people can learn from the data and what they could do with it. Once we know the answer to these two questions we can begin to make decisions about what controls should be put in place.
©2009 ISRMC, LLC