Search

Loading...

Monday, 19 November 2012

Protect Information Not Data

In an ideal world, should we not be protecting information instead of data?  This is an interesting concept.  We backup data.  We secure data.  We create and manage access control lists that allow the subject, access to an object.  The object is generally classified as data.  We talk about 'big data'.  Moving data to the cloud and so on.  But is the data component actually that important?  Obviously certain individual pieces of data are very important.  Certain documents, files and so on, have significant importance and exposure levels.  But on the whole, is an organisation run on data or information?

I guess we need to define both of the key terms here.  What is 'data' and what is 'information' and more importantly what are the differences?

What is 'data'?

A basic technical definition would be that data is the low level bits and bytes of an object.  This object on its own, comprises of basic, raw and unorganised facts.  The actual word would have a Latin equivalent of 'datum' to mean 'that which is given'.  As humans - or managers, analysts and so on - we need to interpret the data for it to become useful.  For example, backing up an email file such as .pst, is pretty useless in providing email reading and writing capabilities, without being able to interpret that file via an email client.  The same can be said of data.  Without the interdependence with other data sources and analytical tools and frameworks, data has limited use.  If you were given an exam score of 65, that 65 on it's own is pretty useless, without knowing the pass mark, maximum score, comparative scores, averages and so on.

So what is 'information' then?

I'd describe information as being data that has been interpreted, organised and given some context.  Once the context has been identified and applied to a singular piece of data, that can then be communicated and reported to others, making it useful information.  That information in turn can be used to develop intelligence over time.  An organisation as a whole, whether that's a manufacturing or service based company, will really function on information.  Information creation will start through interpreting the raw data, where information management takes over via analysis and collaboration and ultimately ending up with information dissemination either internally or to clients with products messages delivered.

The point of an information management system

The information management system (IMS) is ultimately the mechanics between the raw data and something useful at the end.  IMS's will take an input, perform some processing and deliver an output.  In addition you'll probably have some control and feedback components too.  An IMS will also contain an important couple of ingredients: people and processes.  Whilst many organisations would love automate as many people related tasks as possible, raw humans still have a pretty important role to part in any information chain.  They can add adaptability and rationality to decision making - as well as the opposite in some cases too.  But human knowledge is still an huge part of an organisations successful output.

Protecting the entire information chain

This brings me back to the main point.  Don't just protect the individual data component of the information chain.  Without the other ingredients, including people and processes, the data itself can have limited use.  Backup and recovery techniques should really look to contain the people and process related aspects, even if those components are not initially easily committed to tape the same as a database.  From a security perspective, an organisation should be protected from multiple levels, which would also include the processing and output components.  Processing could include collaboration tools  and techniques, analysis and reporting too.  Output is often an area which is often protected from the outside in - ie lets stop people seeing stuff we don't want to them see.  It should also be focused on internally, to make sure information going outbound is sufficiently restricted, managed and recoverable.