KAGE™ is an information security framework proposed by Henry Bagdasarian, Founder of Identity Management Institute to simplify the information protection risk management process and offer a roadmap that management and security professionals can use to develop a data protection strategy which addresses information protection risks. KAGE simplifies the data security risk management process to effectively protect all business information assets and is incorporated into the Certified in Data Protection (CDP) certification course.
The KAGE security framework is so simple that its unique acronym makes it easy for management to remember the main objectives and steps when building the information security strategy. The KAGE data security framework can be used by companies and their executives responsible for corporate information protection to create and maintain a continuous information risk management and safeguard process. This security framework is necessary to ensure continued protection of business confidential information including personal information of clients and employees.
Information protection directives must always be based on current risks facing the companies and individuals. “It would be naïve and risky to assume that an information protection plan is static and does not have to be updated to reflect the current risk landscape” says Henry Bagdasarian. Many companies make the mistake of developing information security policies without any regard for continuous risk assessments, updates, communication, and monitoring. An information security policy is only effective when it is developed and revised based on current risks and communicated to all employees who must be aware of such policies in order to follow management directives for protecting confidential information.
For an information security program to be effective, there are 4 main focus areas which must be addressed. The KAGE acronym stands for Know, Articulate, Guide, and Enforce. Each area is described below:
KNOW – In order to implement an effective information protection strategy and program, professionals must first identify and know what information they want to protect for their companies. For each company, confidential information types may be different. For example, confidential data may include various trade secrets and employee or consumer personal information. Depending on type, format or amount of information available, management must decide what information is important or rather vital to the success of their business. Each type of business information may provide a varying type and amount of risk to the company. For example, a consumer personal information breach may lead to identity theft, identity fraud, and potential lawsuits. Or, a loss of trade secret or intellectual property may result in loss of competitive advantage and revenue. Therefore, for each organization, management must decide what information is important to their businesses based on the risks that they might present.
Next, management must also decide and know how they intend to protect the information based on internal and external needs or requirements. In order to develop an appropriate information protection strategy, risk assessments are required to identify risks associated with confidential information as well as the required countermeasures to be included in policies, procedures, standards, and guidelines. Risks may be derived from the unnecessary collection and sharing of data, lengthy retention of data, unsecured storage location, inappropriate disposal and handling of information, as well as unauthorized disclosure and edits. Once data protection professionals know what information to protect and how they want to protect them, they formally document their information protection scope and vision through security strategies, policies and standards.
ARTICULATE – Once the relevant data security scope is established, policies and procedures are documented, and responsibilities are defined, the data protection strategy and requirements must be effectively and clearly articulated or communicated to the appropriate staff and other parties to make sure everyone understands how the company intends to protect its information and how others may contribute to achieve the overall data protection goals.
GUIDE – Sometimes, employees have a hard time understanding and interpreting the security requirements and purpose and therefore management must make an effort to guide and help employees to understand what is expected of them to help the company better secure its confidential information. As part of the communication, security guidelines can be provided to help employees implement and follow the strategy and policies. Information security guidelines are meant to provide direction for employees to follow and reach the desired security protection goals. Information security awareness training can also be developed and provided periodically to educate employees, reinforce the requirements, and confirm employees’ understanding of those requirements. Employees who are assigned data protection tasks or can unknowingly introduce risks for the company, must be provided periodic awareness and training to be guided in the right direction and be reminded of their responsibilities and capabilities for helping the company achieve its goals.
ENFORCE – Finally, the information protection program and its underlying polices and procedures must be enforced to be effective. Without monitoring and enforcement, violations may not be detected and management directives may be ignored.
Following the creation and communication of the information protection program and all relevant polices and procedures, management must enforce compliance with its security directives through continuous monitoring. Enforcement and monitoring can be automated in some areas or manual in other areas. The principle goal of enforcement is to ensure employees are following management directives and supporting the strategy for protecting confidential information and keeping the security risk exposure to the minimum at all times.
The KAGE data protection framework is addressed in more detail within the Certified in Data Protection (CDP) certification course. The overall concept and the acronym is created to simplify the data protection process. Click below to visit the Certified in Data Protection page to register and become certified.