Information is a valuable asset, and keeping that information safe and secure is essential. Yet, how does an organization know if it has the appropriate security standards and procedures in place? How does an organization’s data security practices compare to other organizations? And after a security incident, how does a company determine loss?
The answers to these questions are not easy ones. To help deal with them, two privacy experts have teamed up to research current information governance practices. Andrew Serwin, a partner at Foley & Lardner LLP, and Larry Ponemon, CIPP, of the Ponemon Institute, have launched three surveys aimed at shedding light on what best practices are available to organizations that deal with consumer data collection.
Through their new think tank, the Lares Institute, Serwin and Ponemon are looking at information governance in a wide array of organizations in various industry sectors, including health, finance, Internet advertising, emerging technologies and mobile devices—essentially anyone who collects consumer data.
The “Survey on Information Risk and Loss” focuses on how companies determine and value loss after an information security incident. According to Serwin, the study attempts to research loss in a broad context—going beyond data loss and breaches—and includes, among other topics, the effects of incidents like cybercrime.
The researchers point out that determining loss “presents unique issues for companies and can impact a company’s ability to prevent incidents and enforce its rights.” Serwin adds, “I don’t think a lot of companies know how to value loss when a data incident occurs.”
The Lares Institute is also looking into the information collection practices of organizations. In its “Study on Information Collection,” it surveys what types of data are collected from the Internet, mobile devices and other sources to determine best practices for companies that engage in consumer data collection.
Another project, “Information Controls and Benchmarking,” is examining the information security practices of organizations to determine what precautions are necessary for a strong information governance program. Often with limited resources and constantly facing emerging threats, a perfect information security system is next to impossible, the researchers say, and benchmarking information security practices across the spectrum can potentially help an organization reduce its risk profile.
Serwin notes there has been little research in these areas, particularly in locating best practices. He hopes these studies will lead to other surveys and will show the variations in controls used around data sensitivity, use and security.
The Lares Institute is looking for organizations to participate in these projects. “We want a good cross-section of companies across sectors—both large and small—to show the difference in controls between large and small businesses,” says Serwin. With the information gleaned from the studies, the Lares Institute hopes to produce tools for organizations attempting to determine an appropriate information governance system.
The Lares Institute is also looking for experts for its research panel. To participate in the panel or the studies, please contact Andrew Serwin.
If you want to comment on this post, you need to login.