Let us now take a brief look back at the fundamental concepts of information security, as it is these that will form the basis of the risk assessment process itself.

We shall then examine the means by which information is classified and labelled, and how the Plan-Do-Check-Act methodology may be used as a high-level process for information risk management.

It is a widely held belief that the three main pillars of information security are confidentiality, integrity and availability, often referred to simply as ‘CIA’. While this is essentially true, other factors also contribute to the overall scheme of things. Accountability, authenticity, non-repudiation and reliability are all contributing factors, and need to be considered along with the ‘main’ three.

Let’s take a look at some definitions and explanations of these, together with those for information assurance, information governance and data governance.

Confidentiality – ‘the property that information is not made available or disclosed to unauthorised individuals, entities or processes’ (ISO/IEC 27000:2018). Confidentiality is concerned with ensuring that information is available to authorised entities and is not allowed to become available to unauthorised entities, whether they are able to obtain this deliberately or by accident. It follows, therefore, that users should only have as much access as they require in order to carry out their task and that a formal process is required in order to administer access rights.

Integrity – ‘the property of accuracy and completeness’ (ISO/IEC 27000:2018). While this definition is fine as far as it goes, the term ‘integrity’ also suggests a high degree of reliability and assurance, and can apply equally to people as well as to information. Integrity considers both the completeness and accuracy of the information, and as with confidentiality, users should only have as much access as they require in order to carry out their task and that a formal process is required in order to administer access rights.

At best, integrity failures can lead to misinterpretation or poor decision-making; at worst they can lead to serious financial impact and embarrassment to the organisation.

Availability – ‘the property of being accessible and usable upon demand by an authorised entity’ (ISO/IEC 27000:2018). Availability is often considered the poor relation of CIA, and, while the other two are very important, if information is not available then it becomes frustrating to those who require access to it at the time they require it, and under certain circumstances this can have extremely severe consequences.

Availability is now a critical element in the delivery or provision of information, not only to customers who shop online at any hour of the day or night, but also to multinational organisations operating across multiple time zone boundaries.

Also – a business continuity (BC) issue – the tolerable length of time for which any information asset is unavailable may well vary from one organisation to another, and indeed from one service to another.

Non-repudiation – ‘the ability to prove the occurrence of a claimed event or action and its originating entities’ (ISO/IEC 27000:2018). Non-repudiation can be used both to prove not only that an entity has carried out a certain action but also equally that an entity has not carried out an action, whether this be carrying out a commercial transaction, editing a document or sending an email. An example of non-repudiation is the use of digital signatures and certificates, which establish the identity of an individual beyond all reasonable doubt.

Authentication – ‘the provision of assurance that a claimed characteristic of an entity is correct’ (ISO/IEC 27000:2018). In order to ensure both confidentiality and integrity, authentication mechanisms are used to validate an entity’s credentials – this can be either an individual or an application requiring access to information or applications. Authentication mechanisms include such things as passwords, fingerprint and iris scanning and token generators.

Identification – this is a mechanism by which an entity begins the process of authentication. It may refer to systems, peripherals, people or processes. For example, a user may submit his or her identification in the form of a user ID when logging on to a system or application.

Accountability – ‘the assignment of actions and decisions to an entity’ (ISO/IEC 27000:2012 – for some reason, the term ‘accountability’ has been omitted from the ISO/IEC 27000:2018 version). Accountability is often confused with responsibility. The two are very different – an entity may be made responsible for carrying out an action, for example an engineer may be responsible for configuring firewall rules, whereas a more senior manager is likely to be accountable for the firewall and/or its rule set, and may be held to account if things go wrong.

Accountability is also linked to non-repudiation, in that it may be desirable to correlate transactions with individuals or processes.

Reliability – ‘property of consistent intended behaviour and results’ (ISO/IEC 27000:2018). Reliability has similar connotations to integrity, but whereas integrity refers mainly to ensuring accuracy and completeness, reliability leans more towards something that can be repeated with accuracy, for example a process that works in a consistent manner every time.

Information assurance – information assurance is the practice of assuring information and managing risks related to the use, processing, storage and transmission of information or data and the systems and processes used for those purposes.

Information assurance includes protection of the confidentiality, integrity, availability, authenticity and non-repudiation of information. It uses physical, technical and procedural controls to accomplish these tasks.

While focused predominantly on information in digital form, the full range of information assurance encompasses not only digital information but also analogue or physical information. Protection applies to information in transit, both in physical and electronic forms as well as information at rest in various types of physical and electronic storage facilities. Information assurance as a subject area has grown from the practice of information security.

Information governance – information governance is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.

Data governance – data governance refers to the general management of key data resources in a company or organisation. This broad term encompasses elements of data use, storage and maintenance, including security issues and the way data flow from one point to another in an overall information technology architecture.

Because data or raw information are a key resource for most businesses and organisations, data governance is a logical area of overall information technology strategy focus for many large enterprises.

INFORMATION CLASSIFICATION

All information assets have some degree of value to the organisation. Unless users of these understand their sensitivity and how to deal with them, they could unwittingly – or even deliberately – make them available to unauthorised or unsuitable recipients to the detriment of the organisation or themselves. So when dealing with either raw data or processed information, whether it is our own or someone else’s, it is vital to ensure that users of these understand fully how to access, process, store, transmit, transport and (if necessary) ultimately destroy them. This is otherwise referred to as data or information handling.

To provide these handling specifications for each individual item of data or information would be an enormous task, so in order to simplify matters we first classify each data or information item according to a set of rules, which will then allow us to specify the handling procedures for each type.

Within government circles this has been undertaken for many years and is a well-established process. In the private sector, however, although organisational data or information handling guidelines may exist, they are not always rigorously enforced, and in some sectors organisations that do not adequately classify and protect certain types of information may face regulatory penalties. Further, any organisation wishing to attain an accreditation relating to information risk will have to satisfy the accreditor that due diligence has been undertaken and that information has been classified appropriately.

The term ‘privacy marking’ is also used in connection with this topic, but differs from information classification in one critical respect – privacy marking deals solely with the labels applied to the information, whereas information classification deals with the privacy marking and the handling of information.

Information classification includes all forms of media, whether in storage (at rest) or in transit from one location to another, such as:

• magnetic media, including hard disks, USB sticks and magnetic tape, locally or in the cloud;
• PDAs, tablet computers, mobile phones and digital cameras;
• optical media, including CDs, DVDs and microfiche;
• paper, including handwritten notes, printed files, diagrams and plans;
• information passing across both wireless and wired networks, including telephone calls, video calls and facsimile transmissions;
• email, text messages and related social media such as Facebook, Instagram, LinkedIn and Twitter.

The value of information assets to the organisation or individual is not necessarily limited to their commercial value, but also the impact they could have on the organisation or individuals were they to become known to an attacker, a competitor, a hostile state or the public-at-large.

All information assets must be identified and rated in value against an agreed impact system – a form of risk assessment in itself. The UK government updated its information classification scheme in 2018, which greatly simplifies the previous system:

• TOP SECRET – HMG’s most sensitive information requiring the highest levels of protection from the most serious threats; for example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
• SECRET – very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors; for example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
• OFFICIAL – the majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.

Commercial organisations, on the other hand, may have a system such as:

• Strictly Confidential – information that the loss or damage of which could cause extremely serious financial impact or embarrassment to the organisation. This might include future business plans, future product development information or information that might have an adverse effect on the organisation’s share value.
• Confidential – the loss or damage of which could cause some financial impact or embarrassment to the organisation.
• Personal – the loss or damage of which could cause some financial impact or embarrassment to one or more individuals within the organisation, and could have regulatory repercussions on the organisation.
• Internal use only – the impact of which might be low, but could be aggregated with other information for use by a competitor.
• Public – which can be made available to any person or organisation.

In order to assign privacy markings, the concepts of confidentiality, integrity and availability must be taken into account. For example, any information asset labelled as Strictly Confidential would almost certainly have a very high degree of all three, whereas Public information need only have a certain degree of integrity and availability.

In terms of confidentiality, the most frequently used guideline is referred to as the ‘need-to-know’ principle – information should not be made available to people who do not need to know it. Integrity is often addressed by segregation or separation of duties, so that one person might generate information, but in order for it to be made available it may need to be verified by a second person. Availability is most frequently addressed by the use of backups, disaster recovery (DR) and BC plans, processes and procedures.

In addition to these privacy markings, information can also be assigned caveats, known in government circles as descriptors. These are additional attributes that ensure a finer layer of granularity. Some examples are:

• Human resources (HR) only – referring to personnel files containing sensitive personal data.
• XXX Project Team only – not to be shown to anyone who is not a member of a particular project team.
• Not for general release until xxxx – not to be further distributed until a certain date.

Another information classification scheme has become popular in recent years, which emanates from the European Network and Information Security Agency (ENISA), known as the ‘Traffic Light Protocol’.¹ See https://enisa.europa.eu/topics/csirts-in-europe/glossary/considerations-on-the-traffic-light-protocol.

• RED – Personal for Named Recipients Only – in the context of a meeting, for example, distribution of RED information is limited to those present at the meeting, and in most circumstances will be passed verbally or in person.
• AMBER – Limited Distribution – recipients may share AMBER information with others within their organisation, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.
• GREEN – Community-Wide – information in this category can be circulated widely within a particular community or organisation. However, the information may not be published or posted on the internet, nor released outside the community.
• WHITE – Unlimited – subject to standard copyright rules, WHITE information may be distributed freely and without restriction.

Once information assets have been identified, it will be necessary to match each of them (or groups of similar information assets) against an information owner. There must then be a process in which the security classification of the information assets are verified through interviews with the information owners.

Handling of information assets

Once the security classification scheme has been established, thought must be given to how the information asset is handled.

Creation and storage of an information asset

The originator or creator of any information asset should consider assigning its security classification immediately, especially if the information is of a sensitive nature. Even if the information asset is in draft form – for example an early version of a project plan, design or simple document – it should be stored in the most appropriate manner.

Not only should the item be stored in a secure location, but it might also be necessary to password protect the item as an additional means of securing it, or by encrypting the item when stored.

Sharing and review of an information asset

Once an information asset has been created, it is possible that other people will review it; for example, a draft project plan might require input from a number of team members, each of whom may need to view and update the plan. This brings in another level of protection – that of the item’s security attributes, and the ability of individuals to read from and write to the item.

If multiple people are able to access the item simultaneously, there needs to be a ‘lockout’ mechanism to prevent more than one person trying to edit the item at the same time.

For this reason, and in order to minimise the possibility of an item going astray, sharing is better achieved by allowing controlled, shared access to it rather than by sending it by email, for example.

Transmission of an information asset

At times, it will be necessary to transmit the information to another person, and the security of the information during transit must be considered. Depending upon the sensitivity of the information, it may be possible to transmit it ‘in clear’ over a public network such as the internet; a virtual private network (VPN); or a heavily secured private network. Some information may be required to be encrypted when transmitted, or it may have to be hand carried by courier in a secure container.

Disposal of an information asset

Most information assets will have some kind of life expectancy, and once this point in time has been reached, it may be necessary or desirable to dispose of the asset rather than storing it indefinitely. Suitable methods of destruction will depend, as always, on the sensitivity of the information, and may range from simple file deletion for an unclassified asset to physical destruction of the platters of a hard disk drive or from shredding to burning of paper documents.

The main point for any system of information classification is that once an information asset has been given a security classification, it automatically imposes constraints on the methods that can be used to process, store, transmit and ultimately dispose of it. These conditions must inevitably be imposed on anyone who may come into contact with that information asset.

Because the nature and sensitivity of information assets may change over time, a periodic review of information assets and their classifications is essential.

PLAN-DO-CHECK-ACT

Strictly speaking, although it is not an information risk topic, for many years, and for a variety of purposes, organisations have made use of a system known as the Plan-Do-Check-Act or the Plan-Do-Study-Act (PDCA or PDSA) cycle, otherwise known as the Deming Cycle,² illustrated in Figure 2.1.

The PDCA cycle has been widely adopted as a basic reference framework in information security, information risk management and business continuity management disciplines as well as many others.

The four stages are described as follows:

PLAN

In this stage, we establish the objectives and the processes necessary to deliver the required results. In the information risk management context, this equates to understanding the organisation and its context.

DO

The next stage of the process implements the plan, initially as a means of testing that the plan has been successful. In the information risk management context, this equates to implementation of the information risk management framework.

CHECK/STUDY

In this stage, we examine the results we have achieved either by measurement or observation. In the information risk management context, this equates to monitoring and review of the framework.

ACT

In the final stage, we put the validated plans into action when an incident occurs and bring lessons learnt from incidents into revision of the plan. In the information risk management context, this equates to continual improvement of the framework.

Earlier British and international standards made considerable use of this cycle in their introductory sections, but since 2013 their use of the PDCA cycle has diminished inexplicably.

SUMMARY

In this chapter, we have examined information security fundamentals, information classification and the Plan-Do-Check-Act cycle. The next chapter will cover the overall information risk management programme.

1 See https://enisa.europa.eu/topics/csirts-in-europe/glossary/considerations-on-the-traffic-light-protocol.

2 See https://deming.org/explore/pdsa.