Can Information Security actually help save money?In terms of InfoSec, we usually think of the possible potential for future savings. Hopefully, the thinking goes, if we invest in appropriate security controls now, we will not be hacked in the future. Calculations based on this approach, such as Return On Security Investment (ROSI) try to make this argument. It's an insurance policy.
But the present question is can we use InfoSec to actually achieve verifiable savings, now?
AvailabilityThe third leg of the InfoSec triad is Availability (the other two, as you already know, being Confidentiality and Integrity). In general, availability means having information available when you need it. But the flip-side of this is what to do with information when you no longer require it. Can we make savings here?
In general, companies and organisations tend to keep information for ever. We are afraid to get rid of it, because we might need it for a rainy day. However there is a cost associated with this. Even though storage costs keep going down, the amount of information that we generate keeps increasing. And it costs money to store all this data. Hardware costs, personnel, backups etc.
If the data can be deleted, then can these associated costs can be saved?
The possible answer is to delete it when it is no longer available. In fact, data protection legislation usually says something along the lines of "Delete personal data when it is no longer needed". If we can achieve this, then not only are we likely to save costs, but we are also more likely to be in compliance with legislation.
What are the necessary steps?
Data Retention PolicyDevelop a data retention policy. This will define how long data is to be kept and when it can be deleted. This may give rise to conflicting requirements based on the type or classification of data that is being processed. As mentioned earlier, personal data should be deleted when no longer needed. However, financial or transactional data may need to be retained for a certain amount of time for audit purposes. Important is to identify the different types of data that you process - and then to define retention periods for the various classification types.
This bit can be tricky as you need to consider other issues such as information that may need to be retained for litigation purposes.
IdentificationThe next step is to identify the locations where information is stored and to classify these based on the data retention policy.
DeletionFinally, delete the data based on the data retention policy and on classification type. Then you can reuse the freed-up space for newer data.