Optimization of Security Investment, and Recent Examples (Series)
Part 3: Registry Management as a Starting Point for Efficient Security Measures
Masatoshi Hirota
Senior Consultant
Ryosuke Miura
Consultant
September 28, 2009 (Monday)
1. Introduction
This series introduces examples, from a long record of information security consulting, of optimizing investment and cutting costs by reexamining information security measures.
2. Example 3: Registry management
As an information security measure, management through registries is extremely effective in preventing and detecting misconduct. The following is an example of improved business efficiency through organizing registries.
3. Background
Company A established information security rules several years ago. These rules are characterized by the following:
- Though appropriate rules have been designed, specific procedures are lacking.
- This lack of procedures is covered by many management registries and application forms.
Company A is considering overhauling the rules it set several years ago and enhancing the level of information security.
4. Business efficiency through integrating registries
Before overhauling the rules, FRI conducted a simple risk analysis to understand the fundamental problems Company A faces. The following problems were identified:
- The content of the information asset management registry and personal information management registry is overlapping.
- The consistency of the information asset management registry and personal information management registry is confirmed periodically.
- The definitions of information assets and personal information are unclear.
To solve Company A’s problems, FRI reexamined the rules, organized the information asset management and personal information management registries, and improved business efficiency.
Information assets were divided into four levels from the perspective of confidentiality to clarify the definitions of information assets and personal information. Personal information received the highest level, and was defined as a part of information asset attributes. The information asset management and personal information management registries, which in the past had been managed separately, were then integrated and put under consolidated management by the information system department. The implementation of these measures produced the following effects for Company A:
- Efficient management by rectifying the overlap in registry management.
⇒ 20 employees ×1,500 yen (cost for 15 minutes)× 250 days = 7.5 million yen. (Management cost per registry.) *Integrating the information asset management registry and personal information management registry cut 7.5 million yen in costs. |
- Clarifying definitions of information assets and personal information improved employees’ understanding.
- Information assets are utilized in risk management by dividing these assets into four levels from the perspective of confidentiality.
5. Conclusion
Management through registries makes it possible to improve the level of information security measures, and can also be used for internal and external audit trails as well as verification in the case of accidents. A lack of appropriate frameworks for registry management, however, can invite confusion and increase the burden on employees, and as a result can also have a strong impact on business.
When creating controls through management registries, it is necessary to consider business efficiency instead of focusing solely on increasing the level of information security.