Understanding Information Security & Risk Management

Last updated on

I possess a highly sensitive document containing details of the Christmas gifts earmarked for my family members. This document, printed on standard A4 paper, is concealed within my home office. Specifically, it’s nestled discreetly in the cupboard adjacent to my desk, camouflaged amidst a collection of hefty English dictionaries.

For those granted access, the treasure trove lies within the pages housing the term “Christmas,” carefully tucked away within a neatly folded piece of paper.

Yet, mindful of the occasional curious glance from my children or significant other, I’ve taken extra precautions. Enter my clandestine security measure: a cipher encrypted in Japanese, ensuring the utmost confidentiality.

My family may stumble upon the paper, yet all they’ll decipher are cryptic symbols like タータンチェックの野球帽 and 腕時計, akin to hieroglyphs to them.

Thanks to this covert tactic, every Christmas unfolds with delightful moments of gift exchanges. Just reminiscing about it brings a grin to my face, envisioning the astonished expressions and the ensuing laughter, enveloped in the fragrant aura of the Christmas tree and the customary mulled wine.

This joy propels me to fortify the concealment of this highly classified intel even further!

In our forthcoming discussion, we’ll explore strategies for companies and their marketing departments to safeguard their secrets and data. By doing so, they can likewise evoke smiles on their customers’ faces.

Understanding Information Security

Imagine GDPR as your “get out of jail” card in the realm of data protection. Just like in games, where such cards allow you to skip a round, GDPR’s data security provisions serve as your lifeline.

Aligned with a risk-based approach, GDPR emphasizes minimizing risks while granting controllers more flexibility. Take for instance the fines imposed by regulators: they must assess the security measures implemented by companies to safeguard data, as stipulated in Article 83(2)c of GDPR (, 2016). This provision essentially acts as a safeguard, providing a layer of protection akin to that “get out of jail” card in the world of data compliance.

Consider a scenario where your laptop is stolen. If it’s encrypted, there’s no obligation to disclose a data breach to your customers. This omission preserves the carefully cultivated brand image your marketing department has painstakingly built over the years.

This underscores the critical importance of data security. Numerous organizations maintain distinct security departments, often overseen by a Chief Information Security Officer, who oversees various functional areas.

For marketers who have experienced security incidents splashed across news outlets, they understand firsthand the invaluable support their security colleagues provide in times of crisis.

Definition Of Information Strategy

Data security is not explicitly mentioned in Article 4 of the GDPR, which outlines definitions, but it is addressed in Article 5, which delineates the fundamental principles of the data protection law.

Essentially, data security is a key tenet of the GDPR, falling under the principle of “integrity and confidentiality.”

The GDPR mandates that organizations must take measures to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage of data, forming a cornerstone of personal data protection.

Technical and organizational measures (TOMs) are required to be implemented to safeguard the integrity and confidentiality of data, as stipulated in Article 5(f) of the GDPR (, 2016).

Outside Of GDPR, Information Security Is Defined As Follows

Information security involves protecting information and information systems from intentional and unintentional unauthorized access, disruption, alteration, and destruction by both internal and external entities (Gartner, Inc., 2023).

It encompasses a range of technologies, policies, and practices chosen to ensure the security of data (, 2018).

According to the National Institute of Standards and Technology (NIST, 2023), information security is the safeguarding of information and information systems from unauthorized access, use, disclosure, disruption, alteration, or destruction, with the aim of maintaining confidentiality, integrity, and availability.

Approach To Information Security

Similar to the strategic frameworks devised by marketing professionals such as the 4Ps, 7Ps, and 4Cs, the field of information security strategy has developed its own frameworks, notably the CIA triad and the Parkerian Hexad.

The CIA triad focuses on three essential components: Confidentiality, Integrity, and Availability.

Security consultant Donn Parker further enhanced this framework by introducing three additional elements: Utility, Authenticity, and Possession.

Here’s a succinct overview of the six aspects comprising the Parkerian Hexad (Bosworth et al., 2009).


Availability pertains to the organization’s capability to access data. For instance, in the event of a power outage where marketers are unable to access customer data, it constitutes an availability issue.

Although the file remains intact and not stolen, the marketer experiences a temporary inability to access the specific data.


Utility within the Parkerian Hexad addresses the issue of losing the usefulness of data. For example, if a campaign manager misplaces the encryption key to the data, the data remains accessible.

However, because the emails necessary for executing an email campaign are encrypted, they become useless, rendering the data inaccessible for practical purposes.


Preserving integrity involves preventing unauthorized alterations to the data.

For example, if an intern from the marketing department inadvertently deletes the field “purchased more than two items” within the dataset, this constitutes a security incident related to integrity.

If the intern’s manager can restore the deleted field, then the integrity of the data remains intact.

Typically, integrity is upheld by assigning varying access privileges, such as granting read-only access to interns and read-and-write access to the marketing manager.


Authenticity concerns the accurate attribution of data or information to its rightful owner or creator.

Consider a scenario where your advertising agency, serving as your data service provider, receives a counterfeit email instructing them to delete all customer data.

The agency, mistaking the email for a legitimate directive from your company, complies with the request. This scenario exemplifies an authenticity issue.


When an unauthorized individual gains access to a specific marketing analytics file, it results in a breach of confidentiality.


The Parkerian Hexad employs the term “possession” to characterize scenarios in which data or information is unlawfully acquired.

For example, if a malicious employee from the marketing department downloads all the sales contact information onto a personal mobile device and subsequently erases them from the network, this constitutes a possession issue.

Risk Management

In addition to comprehending the challenges you encounter, leveraging the Parkerian Hexad, your organization must also be aware of the potential security risks inherent to the business.

Andress proposes a practical and versatile five-step risk management process applicable to various situations (Andress, 2019).

Step 1: Identify Assets

Before your organization can embark on managing the risks associated with your marketing department, it’s essential to first map out all data assets owned by the marketing department.

This entails accounting for all data, whether it’s distributed across various systems or entrusted to external service providers.

Once this mapping exercise is finalized, your marketing department can then identify which data files are of utmost importance. RoPA, with its comprehensive mapping of all personal data processes, can be utilized for this purpose.

Step 2: Identify Threats

For every data file and process identified in the preceding step, potential threats must be assessed. This could involve conducting a brainstorming session involving marketers, security personnel, and data protection departments to systematically review each data file and process.

The Parkerian Hexad, as discussed earlier, can serve as a valuable framework for guiding these sessions. Additionally, this exercise can aid in identifying the most critical data and processes.

Step 3: Assess Vulnerabilities

In this phase, pertinent threats are identified for each data use identified in Step 2. This process entails considering the context of your organization’s operations, the products and services it offers, vendor relationships, and the physical location of company premises.

Step 4: Assess Vulnerabilities

During this stage, the threats and vulnerabilities associated with each data and process are compared and assigned corresponding risk levels. Vulnerabilities that lack corresponding threats or threats without associated vulnerabilities will be considered as having no inherent risk.

Step 5: Mitigate Risks

During this stage, measures necessary to prevent the risks identified in Step 4 from materializing are determined. Andress delineates three types of controls for this purpose.

The first type, logical controls, safeguard the IT environment involved in processing customer data, encompassing measures like password protection and firewall implementation.

Administrative controls, the second type, typically manifest as corporate security policies that the organization enforces.

Lastly, physical controls, as their name implies, protect the business premises and utilize tools such as CCTV surveillance, keycard-operated doors, fire alarms, and backup power generators.

As time progresses, risks can evolve.

For example, your marketing department might relocate to a new building, altering the requirements for physical security. Alternatively, your company might opt to transition from a physical server to a cloud-based hosting service, prompting the migration of customer data.

In both scenarios, initiating a fresh round of the risk management process becomes essential.

Generally, it’s prudent to periodically revisit the risk management process, perhaps on an annual basis, to ensure your company stays ahead of all potential risks associated with your marketing department and beyond.

Approaching Risk Management With Three Lines Of Defence

The Institute of Internal Auditors (IIA) introduced a risk management framework known as the Three Lines of Defense.

This model entails three key internal roles: (1) the governing body, responsible for overseeing the organization, (2) senior management, tasked with implementing risk management measures and reporting to the governing body, and (3) internal audit, which offers independent assurance. Together, these components form a strong protective barrier for the organization (IIA, 2020).

The components of the Three Lines of Defense framework include (IIA, 2020):

First Line Of Defence

To effectively handle risks linked to day-to-day operational activities, senior management shoulders the primary responsibility, with a key focus on fostering a culture that prioritizes people.

Marketing managers play a crucial role in ensuring their department remains vigilant about data protection risks, particularly security concerns, and adheres to pertinent corporate policies.

Second Line Of Defence

In the daily operations of the business, risks can arise across various fronts such as security breaches, data protection lapses, and operational vulnerabilities. Monitoring these activities falls under the purview of the security, data protection, and risk management teams.

Senior management, including the Chief Marketing Officer (CMO), holds ultimate accountability for this first line of defense. A robust second line of defense necessitates seamless collaboration between the marketing department and the security, data protection, and risk management teams.

Practically, this entails recognizing the significance of operational-level auditing and actively engaging with the security team, even amidst competing deadlines and other business priorities.

Third Line Of Defence

Independent assurance on risk management involves evaluating both the first and second lines of defense, typically conducted by independent corporate internal audit teams.

During these assessments, the marketing department will be expected to cooperate, providing necessary information and insights. The assurance findings, communicated to the governance body, serve as valuable input for strategic decision-making by the senior management team.

Original news from SearchEngineJournal