Monthly Archives: November 2013

Developing corporate information security – Step 2: Identify assets

This post is part of the Developing information security series. Please, start reading from the first post.

What is really important for your company?  What are the information assets that your business is most dependent on?

Information assets  include documents, data and information systems. It is crucial that company knows what to protect. Every company have different assets to protect and assets may vary during the different phases of the company.

Typical assets to protect are:

  • Business information
  • Customer information
  • Product development information
  • Sales information
  • Production information
  • Human resources information
  • Critical information systems
  • Etc.

Let’s take a look at what is important for our case company DeepWhite Software.

Case DeepWhite Software – Identifying assets

DeepWhite gathers cross organisational team for identifying important assets.

Current business is based on customer deliveries. Although most of the projects are done in customer premises, there are cases that are developed in DeepWhite premises. DeepWhite has own development environment for these cases. The company doesn’t have own production servers; part of the customer deliveries are hosted at 3rd party cloud service and managed by DeepWhite.

Projects that are done in customer premises are all hosted by customer’s IT department. As described in first post, DeepWhite is launching own product development and this requires separate development environment. 

DeepWhite’s information security team identifies following assets during their sessions:

  • Customer project development information and systems (including development servers, testing servers, version control system, source code, design documents etc.)
  • Product development information and systems
  • Bug tracking / ticketing system
  • Production servers
  • Finance information (billing, bookkeeping etc.)
  • Human Resources system

These are information assets that DeepWhite is most dependent on. These shall be protected at required level.

Step 2: Identify critical information assets

What risks and threats are identified assets facing? Next step is concentrating on threats and risk management.

Do you think that DeepWhite should have identified more assets? Please, feel free to share your own experience.

Developing corporate information security – Step 1: Commitment

This post is part of the Developing information security series. Please, start reading from the first post.

Commitment. In order to get anything done there has to be commitment. Someone has to be committed enough to push through the change.

Information security literature, standards and best practices always emphasize top management commitment for information security development. That is important in large companies, but here we are talking about small and medium sized enterprises (SMEs) and commitment at wider perspective.

SMEs do not usually have extra resources for internal development (like dedicated process development department). These kind of projects are carried out along with other daily tasks. I recommend that SMEs leverage first step from management commitment to commitment in general.

Before going any further, information security development team should be involved and get committed to the project in hand. Otherwise there is always a customer project or important meeting that postpones the final goal.

Let’s see how our case example company DeepWhite Software handles this. Please, see first post of the series for more information about DeepWhite.

Case DeepWhite Software – Commitment

Lately there has been a lot of hassle about all sorts of information security violences. Motives for these violences vary from governmental interests to industrial espionage and hacktivism. News about password leakages and targeted attacks are spreading.

DeepWhite has grown and is working with several big customers. In the conversations with customers there is more and more pressure for DeepWhite to develop their own information security practices. DeepWhite is planning to launch own product development – soon there are more own assets to protect.

Head of Development and CEO both agree that at this point something has to be done. They gather a team of key persons to discuss about security concerns. Team has members from all over the company. Team agrees that DeepWhite launches corporate information security development project.

The team is committed and is spreading the word.

Step 1: Get management and organization commitment for information security development

Do you think that DeepWhite is handling commitment in a right way?

Developing corporate information security – Post series starts

This starts a post series that helps corporates to systematically improve their information security. This series is intended mainly for small and medium enterprizes (SMEs). We are following an imagenary case example of  SME called DeepWhite Software.

Case example is from IT field, but instructions in following posts can be easily adapted to other information centric industries.

Case DeepWhite Software

Case example DeepWhite Software (later DeepWhite) is a small size company that is providing software development services mainly for large local companies. DeepWhite is specialized in developing custom web applications.

DeepWhite facts and figures:

  • Founded two years ago
  • Privately held
  • 5.1 milloin euro revenue
  • 31 employees

Even DeepWhite is mainly providing software development services, it has some own intellectual property (IP). DeepWhite has developed own utility libarary that speeds up development of web applications and gives competitive advantage during the bidding phase.

The organisation structure is flat and there is CEO and few managers that has own responsibility area. The company has three technical sales persons that are handling both the new customers and traditional account management. Big part of the sales comes from old customers that are developing new applications and improving old ones.

Development teams are formed for each customer case and development is mainly done in customer premises.

The whole company started as a one development project for the biggest customer. DeepWhite has grown rapidly and main focus has been on customer cases and deliveries.

During the customer projects teams have identified one product initiative that could be next B2B hit. The company is now setting up an own product development and set up team of five for product realization.

So far it has been all about customer cases, but now company has grown and management sees that there is a clear need for improvement in the information security practices.

We are ready to move into Step 1: Commitment.