5 Reasons Your Business Should Have an Information Protection Policy

Information is the lifeblood of all businesses, but many business owners and high level managers often overlook the security of their business information to focus on what they consider more important; “the generation of revenue.” Many even know the risk well in advance but take on the mentality, “It will never happen to us.” Then the inevitable happens.

Experience has proven that the disregard for the protection of business information is disastrous. The smallest vulnerability in a business’s Information Security System (ISS) can and does cause businesses thousands, even millions of dollars in financial loss everyday. Experts have found that in the majority of the cases involving “loss” from the theft of information that the business owner(s) or managers were aware that potential breaches existed and did nothing to correct the issue. Experts also point out that in 99% of the cases that the cost to fix the breach would have been thousands to millions of dollars cheaper then the loss the business sustained from the breach itself.

According to “Trends in Proprietary Loss” (ASIS International, 2007) these are the top 5 reasons businesses of all sizes should have an active and progressive Information Security System (ISS) and Information Security Management System (ISMS) in place.

  • Loss of reputation/image/goodwill – Taking a hit in the pocket could be bad but not as half as bad as taking a hit to your reputation. Many business can rebound from loss of revenue but repairing your business reputation can cost astronomical time, effort and money. The implications are overwhelming in most cases.
  • Loss of competitive advantage in one product/service – When you have been working feverishly to stay ahead of the game but your competitor beats you to the finish line every time, “There’s a hole in your boat.” The leaking of trade secrets, product delivery timelines and other business processes can completely derail a business and destroy its competitive advantage.” In 2006 there was a well known case of information theft concerning an employee from a major beverage. That employee stole trade information and conspired to sell it to another beverage company for 1.5 million dollars.The employee was arrested after the competitor turned her in.
  • Reduced of projected/anticipated returns or profitability – This can occur when your competitor knows your pricing strategy. If they’re selling the same type of product or service as your business they can, and will easily outprice you.
  • Loss of core business technology or process – A quick Google search will give you some insight on how businesses lose billions in the process when technology is leaked or stolen. The case of the drawn out and costly battle of the “Cell Phone Giants” comes to mind. Do a Google search about it. There are some really insightful facts that you may not have known about the case.
  • Loss of competitive advantage in multiple products/services

All of the above are sound reasons while your business should have an active information security policy. I am of the opinion that any business that regularly loses money and fails to implement processes to stop it,will soon be out of business. Therefore, I encourage all business managers, executives and owners to take the protection of their information seriously. Make time to review your current information security processes and policy with your security manager. Listen to his/her concerns and recommendations. After all that is what you hired him/her for. Concentrate on making your security a “Necessary good” instead of a “Necessary evil” and dedicate a reasonable but flexible budget to immediately address new or unexpected security threats. It could truly save you a life of headaches, court battles and money in the end.

Below are a few recommendations that I believe will help any business to begin improving their information security process. It will also help to improve overall security in general.

Recommendations

  • Ensure that sensitive information is only accessible to a small group of people based on a need to know basis. This information is to be kept in a secure area with progressive and redundant security measures.
  • The first level of security can be posted signage that designates the level of authorization required to be in specific areas. These signs should also advise the consequences for ignoring them.
  • The second level of security may include CCTV cameras which are manned or unmanned (but have the ability to be reviewed later). Cameras serve as a good method to detect, deter and in some cases respond to nefarious behavior.
  • The third level of security mandates designated key cards or key fobs to enter restricted areas. This authorization can also be indicated by color coded ID badges. A security checkpoint guarded by trained security officers is also an option.
  • The fourth level of security concerns areas where the most sensitive information is held. This area should include CCTV cameras, locked file cabinets and safes. This should be supported by a well written Information Protection Policy created in partnership with an experienced security professional and it should be strictly adhered to.
  • Lastly, a schedule for audit and compliance should be instituted and a designated person appointed the responsibility for its oversight. This recommendation has more to do with Information Security Management, which I will discuss in a later topic.

General Information Security Practices

The preceding concerned security strategies for highly sensitive information however, we must not overlook the need for the security of general business information. Information comes in many forms and businesses must protect them all. Here are a few more tips that I recommend to improve your current Information Security Policy:

  • Ensure that all documents that contain personal, personnel and company information are always kept secure. This information should never be left lying around on someone’s desk or in their inbox. Always keep this type of information under lock and key and designate a person to ensure strict accountability.
  • Ensure that you have a information security policy in place and share it with your entire staff. This policy should include how to file or discard company information.
  • Ensure that your company has a shredder and include shredding regulations (what should be shredded, when and by whom) into your policy.
  • Always ensure that someone in your organization stays abreast of current cyber threats. This person is normally the head of the IT department or your security manager. He/she should also ensure that your anti-virus and firewall systems are regularly updated and tested. If your company does not have a dedicated IT department of manager it wouldn’t hurt to consult with an IT Security firm to get a check-up.
  • Ensure that your Information Protection policy includes regulations pertaining to thumb drives and portable hard drives. The policy should clearly state what information can be saved or uploaded from and to the devices. Also consult with your IT department to disable the USB ports on your computers and networks if necessary.
  • Finally, every business should have a Non-Disclosure Agreement. NDAs set the expectations for your employees as it pertains to the privacy of your business affairs, processes and materials. It also provides the recourse for violating the policy. can be found on the web, but I recommend consulting with your attorney to ensure that your NDA provides you and your business optimum protection.

That about sums it up. I believe that by implementing these strategies that every business can improve the protection of their information and reduce the chances of suffering financial loss. In many cases you may even increase your profitability, which is why we are all in business anyway. I hope that you found this information valuable. Never underestimate what a solid Information Security Program can do for you.

Thanks for reading and I hope that these quick security tips help to kick start or rekindle your Information Security Program.

Making Your Employees Understand the Value of Information

When deploying a bespoke information security awareness campaign, the ultimate aim is to build a mindset in which employees come to respect and protect the information they work with. To achieve this, it’s imperative that employees fully understand the value of that information.

Failing to understand the value of information is a major cause of information security breaches. For example, it’s the reason why sensitive information ends up in wastepaper baskets or recycling boxes, which subsequently exposes it to ‘dumpster diving’ – the practice of scouring company bins for useful competitor intelligence.

Failing to understand the value of information has led to some of the high profile ‘laptop left on a train’ incidents, where employees are walking around with sensitive information on their hard drives that hasn’t been encrypted for transport.

Failing to understand the value of information can even cause employees to talk themselves into doing things they’ve already been told is bad practice, such as connecting to an unsecure hotel wi-fi to check email. We’ve all been tempted to do it because of the convenience. What stops us is knowing how valuable the emails coming in and out are – all of which can be intercepted on an unsecure wireless connection.

Communicating value

The value of information is best communicated through a clear information classification scheme. For example, let’s use the traditional labels of ‘public’, ‘internal’ and ‘confidential’ information. One of the most effective methods of communicating value is to consider all of the information types within your organisation and categorise them under these headings. Turn that into a clear communication that allows employees to see exactly which information types should be considered under which classification. There are also some engaging and fun ways to embed this in your employees’ minds.

Make classification mandatory

Making classification of all documents mandatory also helps to embed this consideration of value. A classification must be assigned to every new piece of information that employees generate. Similarly, every piece of information they receive must be immediately checked for its classification. If a piece of information is passed on without a classification, then the practice of sending it back to the originator for classification will eventually cause this handling procedure to become second nature.

Protecting confidential information: Carrot or stick?

For most organisations, accidentally or intentionally disclosing confidential information is a disciplinary offence. As long as you state this as part of a campaign that simultaneously instils the value of information, then it can be quite effective.

However, bear in mind that the most effective internal communications campaigns succeed by aligning the objectives of the employee with the objectives of the organisation. Therefore, a more effective method is to make the employee see the personal value of protecting information at work. There are many messages that can be used, such as building the employee’s perception of their contribution to organisation success, and the need to protect the integrity of this achievement. You can also communicate how devastating an information breach can be – for example, through lost revenue or a fine from the Information Commissioner’s Office. An information breach could even cause enough lost competitive advantage that an organisation is no longer able to operate at the same size it was. This associates the concept of information security with job security.

Acformation – The New Information Paradigm

The First Paradigm – Age of Information (circa 1980 – 2000)

Information, coming in, captured the then market realities. It represented the collective market notions such as ideas, beliefs, etc. for a given time period. The Information Gradient (IG), the rate at the which a given information changed – proven, disprove etc. was fairly linear. In other words, the market behaviour was within the predictable limits of Organizational Think-tanks (OT).

The Second Paradigm – The Rise and Fall of Real Time Information (circa 2000 – 2012)

The changing market dynamics brought new problems to these OT. The IG lost its linearity. It became a victim to unforeseen market forces, and thus became more skewed. The Information captured did not convincingly represent the market notions.

It was then time for the next paradigm shift – the Real Time Information (RIT). But, RIT never represented information at all. It was a screenshot of the market notions at any point of time. It allowed the OT to ‘trust’ the market forces before taking any strategic decision.

It worked well for a while. Until RIT started losing the ‘realness’ of the information. As the real-time capturing of information peaked, companies started becoming more aspirational. They wanted information created a moment ago. While the technological advancements made it possible to capture and deliver information real-time, these companies found it difficult to put this information into perspective. For a vital component of the information made no sense – how useful is this piece of information for the immediate decisions to be made and its integrity for long-term strategic decisions.

The era of RIT came to end.

The Third Paradigm – The Age of Acformation (Present)

RIT is dead. How could a piece of information captured a minute ago make sense? More so, when information captured a minute ago will not be the same as the information that is to be captured the next minute. Especially in an industry such as Apparel or Footwear where the fashion trends are changing.

RIT lacks a continuity, in terms of aiding the business in taking market decisions.

Acformation was born. It stands for Actionable Information.

Acformation is radically different. It does not capture or represent information at all.

Acformation, in essence, represents the rate of change of information. In other words, it represents IG. IG is a meta-information, i.e. information about Information. It provides the much need context for the information, and is thus, Actionable.

Understand your company’s Information Structure

As a retailer, you need to understand the Information Structure of your business.

Primary Information (PI)

Stock Levels

What do you have? How much of it do you have?

Sales

What has been sold?

How much of it has been sold?

Secondary (or Meta) Information (SI)

What did this customer buy?

How much did the customer buy?

What is the Customer Profile?

What is the customer buying history?

Miscellaneous Information (MI)

Company Performance

Accounts and Balance.

Actionable Information (AI)

Given the PI, SI & MI levels, how disposed is the customer (or a group of them) to buy in the future?

How likely will the purchase be made?

How frequent will this happen?

Will there any change in their preferences as result?

How resources is your shop in making this happen?

What Information Does An Employee Expect? – An Employee Communication Primer

OPENING BELL:

With the corporate laws becoming stricter in India and the ‘Right-To-Information’ Act being enforced in the ‘right’ spirit, coupled with the hyperactive media & proliferation of social networking websites, the word ‘Transparency’ has acquired a new meaning in the world of business. Till early 1990s, the word ‘transparency’ was just not in the business lexicon and today it is a stringent legal, a professional, business and a societal necessity.

Like a coin, the word ‘transparency’ has two sides. One side pertains to the information that the organization shares with the outer world (like government agencies, investors, business magazines, news channels, and voluntary organizations) for compelling reasons and the other side is about the stuff that the organization feeds or notifies to the employees for the intended reasons.

In the contemporary world, the employees are far more conscious and vocal about their rights. In fact, feeding them information is equal to “what the doctor ordered”; give them a little information and they ask for more. Why? Because they believe that the information (like knowledge) is power and more information is decidedly better than no or half information.

Employees born after 1992 (known as Gen x or Gen Alpha) are the blessed ones as they have escaped the era of ‘information starvation’. When they were growing up, India was getting progressively liberalized and information was becoming available more easily. Consequently, they became adult with the ‘mindset’ that they have a (legitimate) right to expect, get and receive information that affects them.

As of now, it seems that the HR profession in India has taken the partial cognizance of this ‘info savvy’ or ‘info hungry’ employees and their expectations for the ‘transparency’ in information sharing (within and from the organization). What information the ‘info hungry’ employees expect from the management or the company?

Let us explore in a telescopic way, i.e. from the personal level and to the organization level, and look at the instructive list of the information needs.

As an employee – Individual & direct information needs:

 

  • How is my compensation calculated and what is my take-home pay?
  • How do I plan for my income tax?
  • What are the HR policies applicable to me and what each policy means? Whom should I give feedback?
  • What are my entitlements and how & when do I receive or claim them?
  • What are the performance measurement criteria applicable to me?
  • How will I grow or get promoted and approximately within what time-frame?
  • Whom should I speak to in case of any difficulty, personal or professional?
  • What are the unwritten but important Dos and Don’ts, behavioral and otherwise, of the organization?
  • Who are the key members of my immediate senior management and what are their profiles?

 

As a team (cross-functional) member – Individual, collective & direct information needs:

 

  • Why I am chosen as a member? Why others are chosen as team members?
  • What are the goals of this team?
  • Why a particular employee has been appointed as the chief?
  • Whom the team will report to?
  • What is the timeline for presenting the outcomes?
  • What resources the team has at its disposal?
  • Will my job be at stake if the team does not deliver as expected?
  • What are the extra privileges available to a team member?
  • How the conflicts within the team will be resolved?
  • How will my performance as a team member be linked to my annual performance appraisal?
  • Who will help if I or the team requires training or other support?
  • What if my Functional Supervisor hinders my participation in the team’s work?

 

As a member of the Function/Department/Unit – Individual, collective & direct information needs:

 

  • How my function/department/unit has fared this year?
  • Why my boss has assessed my performance as inadequate when the function/department/unit has done so well? Does that imply that the ‘sword is likely to be on my neck’?
  • Why our function/department/unit is treated like an orphan by the management?
  • Why I am not being given challenging assignments?
  • What are the key developments in other functions/departments/units of the company?
  • Why employees of other functions/departments/units get better or more benefits?

 

As a member of the organization – Individual & indirect information needs:

 

  • What are the core values of my company?
  • How my company has performed during the specific period and what are the central reasons for the performance?
  • What are the significant developments (political issues, competition related, mergers, acquisitions, takeovers, government policies, etc.) that affect my company (and therefore, me)?
  • Whom should I talk to if I receive unsubstantiated information about my company from the external or internal sources?
  • How my company is planning to grow in coming 2-3 years?

 

CLOSING BELL:

Though the information needs become more specific, differentiated, and time sensitive as one moves up in the pecking order, it cannot be denied that the same information can be shared, of course, on a case-to-case basis, in different ways with different levels of the employees, at the same time or at different points of time. Reaching out to the employees at the right time is always a healthier option irrespective of whether the employees have voiced about their information needs. Information shared at a date later than the required, serves no purpose. All employees do not require all information, but some employees require some information. Correct?

Transparency in sharing of information implies ‘openness’, which is a key constituent of a healthy organizational culture. However, the degree of openness is a subjective criterion and it depends on the workforce’s collective perception, which is primarily influenced by the difference between the management’s advocated philosophy or business policy and the real practice of sharing the information. Transparency in sharing information is a key ingredient for trust-building between the employees & the management.

The real torch-bearer of the ‘transparency’ is the HR Head. She is not only accountable to make sure that every employee receives the ‘required’ information, but also should persuade or even insist when required, that the members of the senior management demonstrate openness and behavioral transparency, consistently.

‘Behavior speaks louder than words’ and here it means that no member of the senior management should be seen as ‘hiding’ or ‘suppressing’ or ‘tweaking’ the information. Practicing ‘transparency’ is an art as well as a science for HR the professionals. It is more an art when they have to be transparent themselves and it is more of a science when they have to make sure that the employees perceive the organization as transparent.

The Union’s Right to Information or How to File a Successful Request For Information

In this article we will answer the following questions and a whole lot more:

• What is a request for information?
• Under what conditions can I request information?
• What can I do if the company refuses to give me the information I requested?

The request for information comes from the obligation and duty to bargain and applies to contract negotiations as well as the grievance procedures that follow.

Congress enacted the National Labor Relations Act (“NLRA”) in 1935 to protect the rights of employees and employers, to encourage collective bargaining, and to curtail certain private sector labor and management practices, which can harm the general welfare of workers, businesses and the U.S. economy.

An employer who refuses to provide information or unreasonably delays the provision of information violates Section 8(a)(5) of the Act.

Information can be requested by a Union who is certified to represent company’s employees for the following reasons:

• To prepare for collective bargaining negotiations
• To monitor the Collective Bargaining Agreement (CBA)
• To investigate a grievance

In order for a request to be valid it must somehow relate to one of the above issues.

For example, a Union is preparing for negotiations and requests a copy of all workplace rules and regulations, a list of all positions to include their duties, responsibilities and where their position is located at.

Another example would be if a Union was investigating the discharge of a member. The Union could request a copy of all information used by the employer to decide to terminate the member, including but not limited to, all evidence, statements, emails, photographs, video recordings, audio recordings, photographs and any notes.

Even though a grievance is not necessary to request information it is recommended that the Union has some form of probable cause to justify a request. It does not hurt the Union’s case to be able to articulate the reasons behind their request.

What types of information can the Union request?

It would actually be easier to list all of the information the Union cannot require from the employer. Here are a few examples of information that is not allowed:

• Information covered by the Health Insurance Portability and Accountability Act (HIPPA)
• Trade secrets covered as propriety information
• Information which the employer has consistently enforced a policy barring disclosure so long as the employer provides an alternative or substitute form of disclosure

In order for your request to be effective it must contain the following items:

• It must clearly identify the information being requested.
• If the request is in connection to another matter such as a grievance it must be clearly referenced.

The following items are highly recommended:

• Clearly state where the information is to be delivered
• Clearly state how the information is to be delivered
• Clearly state when the information is expected to be delivered
• Clearly state that if any part of the request is denied the employer must state this fact in its response

Now let’s talk about delivery. In order for a request to be effective you must have proof of delivery. This can be accomplished in several ways. They are:

• Via certified mail, return receipt requested.
• By hand delivery, with a statement from the person performing the delivery.
• By fax or by email along with a confirmation copy, a reply or a phone call verifying that it was actually delivered.

What can you do if the company refuses or fails to provide the information requested?

The agency that enforces the National Labor Relations Act is the National Labor Relations Board (NLRB).

The NLRB is an independent agency of the United States government charged with investigating and remedying unfair labor practices. As previously mentioned, an employer who refuses to provide information or unreasonably delays the provision of information violates Section 8(a)(5) of the Act.

This next part will depend how your Union is set up. Many organizations require Locals to go through their parent organization in order to file NLRB charges. You should check with your National or International before moving forward.

For those Locals or Independent Unions who are left to fend for themselves you can file the charges in two ways. You can fill out the forms yourself and either walk them into the NLRB or fax them in, or you can call the NLRB and the Information Officer (who normally answers the phone) will take the necessary information from you.

After a few days an Agent will contact you and tell you what you will need to do. Be prepared to provide an affidavit under oath as well as provide all relevant information or witnesses to support your case.

Generally speaking, NLRB charges filed over refusals to provide information are not subject to the NLRB’s policy of deferral.

This means that the NLRB will fully investigate the issue and if the violation is found to be valid, the NLRB can order the employer to provide the information requested.

The Essence of Information Dissemination in Audit Service in Sierra Leone

Introduction

Information at the heart of everything we do as humans. We generate it, we consume it, we share it and we sell it. The careful managing of information is therefore the key to success in business. An introduction to information dissemination in a business provides a solid overview of the role of information dissemination. It gives guidelines on collecting the right information to the right people to support the firms. ‘ strategic objectives and “oil” the everyday operations of the business.

Definition

Dilman 1978, defined dissemination of information is the active and targeted distribution of information or intervention via determined channels using planned strategies to a specific public or audience.

Dissemination is a formal planned process with the intent of spreading knowledge and enhance the integration of the evidence, information, intervention or combinations of these into routine practice. Information dissemination has been characterized as a necessary and sufficient antecedent of adoption and implementation of organisational policies (Dilman, 1978).

Importance of Information Dissemination in Service Delivery

Before assessing the various approaches used to disseminate information, it is worth revisiting the reasons for disseminating information. There are usually good reasons why organisations decide to disseminate information. These reasons are not necessarily independent of one another but can nonetheless be categorized to emphasis the motivation of an organization when initiating dissemination. The reasons are usually to increase the value of one or more of the following attributes of the enterprise shareholders. The following among others are the reasons for information dissemination in organisations:

To Create Awareness: Information is often disseminated in order to educate, explain or promote a concept, process or principle. For example, technical specifications explaining system capabilities, instruction about alternatives to avoid congested transport routes and guidelines for the completion of work in order to ensure consistent appearance of project deliverables are all ways in which information is disseminated to generally encourage recipients to comply with a procedure in the belief of organizational or enterprise improvements.

To Enhance the Response of Customers: Sometimes information is disseminated solely in the hope it will cause some feedback that might require further information to be generated or be used to validate something. Examples include advertising, questionnaires, market surveys frequently asked question list and testimonials.

To allow Collaboration: Information is often disseminated in order for a group of individuals to share knowledge and routes of communication. Examples include workflow systems to support the flow of information between system entities in order to achieve a common purpose, mailing lists where like minded individuals can listen to and discuss common issues, libraries where people can access information, and control system where probes might detect and transmit warnings about certain event(Fink, 1983).

Background of Audit Service Sierra Leone (ASSL)

Audit Services Sierra Leone is the supreme audit institution of Sierra Leone section 119 of the 1991 constitution of Sierra Leone provides for the establishment of the offices and functions of the Auditor General. It started with establishment of the Audit Act of 1962. It was later called the Auditor General’s Department then the office was moved from the Audit General’s Department to Audit service Sierra Leone due to the Audit service Act 1998 which was implemented in 2004. The Act also created an Audit Service Board (ASB) an Advisory Board which has the power to appoint persons, other than the Auditor General to hold or act in offices as member of the Audit service and to exercise disciplinary control over such persons.

The Audit Service Sierra Leone is headed by the Auditor General who is assisted by four deputies. Its headquarters is at Lotto Building in Freetown with other offices in Freetown, Bo, Makeni and Kenema. Also, the Auditor Generals Mandate is specified in section 119 sub sections “2” of the 1991 constitution. It provides for the Auditor General to audit all government ministries, department, agencies, educational institutions and any other statutory body set up partly or wholly out of public funds. This mandate now includes the 39 aligned ministries and departments’ 19 council’s one hundred and forty-nine chiefdom authorities, 64 statutory bodies and donor funded projects.

Methods of Information Dissemination at the Audit Service Sierra Leone

This organisation uses both manual and electronic for Information dissemination:

Manual means of Information Delivery Dissemination.

The manual means of information dissemination in the Audit Service Sierra Leone are as follow:
• Printed copy of the Auditor General report and other document.
• Disseminate of copy of the Auditor General report and other report to various people.
• Disseminating of the Audit Services newsletter internally and externally to various takes holder.
• Organising meetings with civil society group.
• Awareness raising programs in various schools, groups and universities.

Electronic means of Information Delivery Dissemination.

The electronic means of information dissemination in the Audit Service Sierra Leone are as follow:
• Publishing the Auditor General (AG) report on the Audit Services web-site.
• Airing of the Audit Service juggle of various radio service.
• Disseminating of information through social media eg. Facebook, Whatsapp and Tango etc.
• Organising radio discussions or programs on various radio stations. During the radio programmes, listeners were given the opportunity to respond to issues discussed by making phone calls and sending text messages to numbers that were announced to them. The panelists responded adequately to the questions and comments during the radio programmes.
• Radio jingle-As part of the awareness raising programmes, the communication division produced a radio jingle in English and it was later translate in four local languages (Mende, Temne, Krio and Limba). The jingles are aired on various radio stations in the country.

Users of Information at the Audit Service Sierra Leone

A user of information is a person or an organization using the information created by another institution or organisation. In using the information the users are most often identifiable in advance. They use information on a daily basis because of certain work, assignment or work tasks. The following are the Information service of Audit Service Sierra Leone:

Administrative Personnel

Employees of an organization and staff of the HRM department to be specific can access records about their operational and organisation maintenance to make correct decision and solve administrative problems. Directors within the HRM will also obtain information from the record department for taking decisions pertaining promotion, recruitment, transfer and payment of retirement benefits.

Researcher / External user

Audit services are research oriented as a matter of fact, researchers use their information to gain knowledge of the department or the civil service researching on the activities and initiatives of the government. The outcome of these research activities is normally for academic purposes which will help the researcher to gain an in depth knowledge about the ways staff or civil servants, are recruited, promoted, and terminated.

Journalists

The other important users of the information generated at the Audit service office are journalist who may want to investigate claims pertaining poor recruitment and appointment of personnel in the various departments.

Types of Information Acquired at the Audit Service Sierra Leone

Operation Audit Information

A Future- oriented, systematic and independent evaluation of organization activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this types of information review.

Financial Information Audit

A historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. External auditors need this type of information.

Department Information Review
A current period analysis of administration functions to evaluate the adequacy of controls, safeguarding of assets, efficient use of resources, compliance with related laws, regulations and universal policy and integrity of financial information.

Investigative Information Audit

This types of information takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. All members of the community are invited to report suspicions of improper activity to the Director of Internal Auditing Services on a confidential basis.

Follow up Information Audit

These are information conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report when these follow up audits information are done an external auditors reports, the results of the follow up may be reported to those external auditors.

Integrated Information Audit

This is a combination of an operational audit, department review, and its audit application controls review. This type of review allows for a functional operation within the institution (Silver, 2010).

Challenges faced in Information Dissemination at the Audit Service Sierra Leone

Some problems that Audit service encounters with audit information are highlighted as follows:

Finance Problem

One problem that is affecting the institution’s information delivery is finance, and for any organization to survive or sustain thorough development these should be some amount of finance. The organisation faces financial serious challenges in their information service delivery.

Poor Planning of Information Service

The information service is not well effective in the audit service because the people responsible for that are not professionally trained. Only few of them have the capability to do the work in the audit department because of the fact that the information is not received at the right time in line with the needs of the users. The committee does not meet regularly to discuss issues on that.

Lack of Adequate Staff

The challenge of inadequate and untrained staffing situation poses a serious problem for the smooth running of the organisation. The issue of inappropriate staffing can hamper the smooth handling and delivery of information.

In conclusion, information delivery of audit information plays a vital crucial role in the effective management of staff, in any organization. Information is at the heart of any organization or institution that performs the activities related to learning, teaching, research and generation of new knowledge. The goal of information delivery at audit service is to attract and retain a workforce that will enable the institution or organization to achieve its purpose and objectives. However, this work has considered some of the more common pitfalls that hamper effective in Information dissemination which auditors should avoid during the source of their work.

Personal Training and Information Literacy

Scholarship, Practice, and Leadership

Information literacy is extremely important in the health and wellness industry, more specifically in the personal training field. It takes a short amount of time and education to become a personal trainer, and the pay is relatively high for what a person needs accomplish to become certified. An abundance of personal trainers exists because of the high pay, the short amount of time it takes to become certified, and the growing need for society to improve their health. In order for a personal trainer to stand out and become sought-after for their repeated results and excellent workouts, the trainer must be an expert at researching information, comprehending new research, and applying both.

In the article How we Failed the Net Generation, Badke discusses the World Wide Web saying, “… few of us had any idea what it would become in less than 2 decades. Many of our students grew up with the web, so for them it is not a novelty. It’s mainstream. It’s embedded in their lives” (Badke, 2009, p. 47). Most personal trainers only have completed a certification, very limited in information about exercise science, and not a degree at a college or university. Because of their lack of education, the first place most trainers turn for their information is the World Wide Web and not scholarly, peer reviewed research studies. The Internet is not a credible source for information. Anyone can write a blog or post fitness workouts and nutrition information based solely on opinion, and not scientific studies. In order for a personal trainer to ensure they are providing safe and effective workouts to their clients, the trainer must be able not only to read and study research studies but also keep up with the changing information.

One topic not taught in a personal training certification is how to find and decipher sound fitness information. Pia Russell discusses how students are facing the same issues as personal trainers in their studies.

Students have difficulty evaluating the glut of information available, and to cope they frequently depend on quick but questionable sources, like Dictionary.com, which can result in a blind acceptance of advertising-based information, or sources that depend on a truth by consensus approach such as Wikipedia. (Russell, 2009, p. 92).

In order for a personal trainer to be an expert in their field, someone people will listen to, and follow, the trainer needs to stay up-to-date on current research. Personal trainers need to know how to search for information when they face questions they are unsure of. A personal trainer’s job is not only to provide an effective workout but also to educate their clients with researched based information.

Larissa Turusheva discusses the importance of information competence in lifelong learning and education. In Larissa’s study she states,

Information competence is a skill:

• to determine the size of the necessary information;

• to use the necessary information effectively;

• to evaluate the information and its sources critically;

• to develop own knowledge base with the information chosen;

• to effectively use the information for goal achievement;

• to use the information ethically (ACRL, 2000). (Turusheva, 2009, p. 2).

In the personal training field every skill involved in information competence is important. A personal trainer must determine which information is important and which information is not. The trainer needs to evaluate where the information is coming from and apply the necessary information to help the trainer’s clients reach his or her goals fast and effectively. The most important skill a trainer must apply in information competency is using the information ethically. It is unethical for a personal trainer who knows their client has a heart condition to instruct their client to do contraindicative exercises when the trainer knows those exercises put the client at risk. This situation could occur for many reasons. The trainer could be working with a group and does not want to give an alternate exercise or the trainer could want to push their client harder. Implementing ethical practices is part of information competence and extremely important in the personal training profession.

Leo Appleton conducted a study about the information competency skills of student midwives. In the study, the students were taught information research skills and the grading requirements became stricter to promote credible information sources. The results of Appleton’s study showed, “Students reported increased confidence in using library and information resources. Appropriate and timely information-skills training embedded into health-studies curricula can lead to students becoming independent and lifelong learners, as well as improving the standard of their academic work” (Appleton, 2005, p. 1). Not only were these students able to learn how to effectively search and decipher information during their schooling, but also, the training followed the students into their careers in the health field. Personal trainers who have information competency will be able to provide their clients with everything they need to be successful, long term.
Conclusion

Information literacy is vital in every profession and should be taught and enforced when students are in school. Students need to be taught the valuable skills needed to conduct quality research and decipher the material. Those skills will follow students into their careers, where they will be considered experts in their field and leaders. Even if the students are just trying to become certified in a certain field, those skills should be taught during the certification process. Most personal trainers receive only a certification and are never taught how to research accurate information. Because of this the trainers turn to the Internet for their answers. In turn, many personal trainers are making recommendations to their clients based on opinion and not research. This practice has serious implications for the health of their clients and the personal trainer’s credibility. Personal trainers must learn the skill of literacy competence.
To your health,

Jessica Summerall

References

Appleton, L. (2005). Examination of the impact of information-skills training on the academic work of health-studies students: a single case study. Health Information & Libraries Journal, 22(3), 164-172. doi:10.1111/j.1471-1842.2005.00576.x

Badke, W. (2009). How we failed the net generation. Online, 33(4), 47-49.

Russell, P. (2009). Why Universities Need Information Literacy Now More than Ever. Feliciter, 55(3), 92.

Turusheva, L. (2009). STUDENTS’ INFORMATION COMPETENCE AND ITS IMPORTANCE FOR LIFE-LONG EDUCATION. Problems Of Education In The 21St Century, 12126-132.

7 Top Tips for Managing Information Overload

What is Information Overload?

Contrary to popular belief information overload is a concept that has been around for centuries. As early as the 3rd or 4th century BC, people regarded information overload with disapproval. Around this time, in Ecclesiastes 12:12, the passage revealed the writer’s comment “of making books there is no end” and in 1st century AD, Seneca the Elder commented, that “the abundance of books is distraction.”

The term “Information overload” was popularized by Alvin Toffler in his bestselling 1970 book Future Shock. It refers to the difficulty a person can have understanding an issue and making decisions that can be caused by the presence of too much information.

However, it has been the advent of the Information Age and access to the internet that has popularised the phenomenon that is Information Overload. The internet has connected billions of people to a constant and growing source of information that is not only available but is relentlessly pushed at people.

Sources of Information Overload

So where does all this information come from? The 3 main culprits are:

Email – Without doubt the biggest source of information. People receive vast numbers of Emails of all descriptions on a daily basis. Most of these are spam and maybe caught by spam filters but many will end up in people’s inbox.

RSS Feeds – The ability to subscribe for all the latest information updates from websites that people are interested in.

Social Media – The rise in popularity of Facebook, Twitter, Google+ etc. and the advent of smart phones have provided a constant stream of information that is accessible from anywhere at anytime. Whilst a lot of this information is easy to digest it is often a gateway to more information and, if you’re not careful, you can lose hours digesting information and conversing with friends, colleagues and associates.

7 Tips to Avoid Information Overload

So how do you get this information under control? Here are my top 7 tips which will hopefully provide some help.

1. Reduce number of emails

No surprises here as it is the greatest source of information. More efficient use of email is a blog post in its own right. However, you must reduce the volume of emails that you receive by unsubscribing from as many lists as possible. You will not and cannot process all the information that is being sent to you so be ruthless. If you find that there is something you really miss then you can always re-subscribe… the sender will not mind!

2. Turn off notifications

If you are notified every time an email, text, Facebook post or tweet hits your inbox then your tendency will be to have a look to see who it is from and whether it is important. Chances are that it can wait and it is not worth the interruption of what you were doing.

3. Define your Goals

Ensure you have very clear goals and activities to achieve those goals. In this way you will only process the information that is important to that particular activity or task.

4. Keep Focused

Avoid all the temptations to read another email or article. Stay true to the task you are working on. The distraction may look really interesting, but is it a good use of your valuable time?

5. Allocate time for Information review

Set time aside to allow yourself to browse through the mountain of information. It is important that keep abreast of what is going on and get some fresh ideas and perspectives. Try allocating time when you are least productive so that you don’t waste that valuable ‘doing’ time. Perhaps you could sacrifice some of the time in front of the TV.

6. 80:20 rule

If you a researching a topic then often the 80:20 rule will apply, i.e. you will obtain 80% of the information you need from 20% of the material that is available. You could spend a lot more time processing more information but it will not add a great deal more value to your work. I would recommend the 4 Hour Work Week by Tim Ferriss for a great explanation of this concept.

7. Archive for Future use

If you believe the information may be useful at some stage in the future then set up some rules to archive the information. Ideally use automatic rules where possible so that you are not tempted to have a quick sneak only to find that you are still reading it 30 minutes later. Many email systems will allow you to set up rules that will send emails to specific folders based on the sender or subject details.

The volume of information that is available is only going to grow and grow so you need to take control of the way in which you access the information and manage your time. To put it in context consider this amazing statistic:

‘All of the information produced between the dawn of time and 2003 is now being produced every 48 hours!’

I will leave you with this question, how much of this information do you really need to know about?

Information Security Management System: Introduction to ISO 27001

Current Scenario: Present day organizations are highly dependent on Information systems to manage business and deliver products/services. They depend on IT for development, production and delivery in various internal applications. The application includes financial databases, employee time booking, providing helpdesk and other services, providing remote access to customers/ employees, remote access of client systems, interactions with the outside world through e-mail, internet, usage of third parties and outsourced suppliers.

Business Requirements:Information Security is required as part of contract between client and customer. Marketing wants a competitive edge and can give confidence building to the customer. Senior management wants to know the status of IT Infrastructure outages or information breaches or information incidents within organization. Legal requirements like Data Protection Act, copyright, designs and patents regulation and regulatory requirement of an organization should be met and well protected. Protection of Information and Information Systems to meet business and legal requirement by provision and demonstration of secure environment to clients, managing security between projects of competing clients, preventing leak of confidential information are the biggest challenges to Information System.

Information Definition: Information is an asset which like other important business assets is of value to an organization and consequently needs to be suitably protected. Whatever forms the information takes or means by which it is shared or stored should always be appropriately protected.

Forms of Information: Information can be stored electronically. It can be transmitted over network. It can be shown on videos and can be in verbal.

Information Threats:Cyber-criminals, Hackers, Malware, Trojans, Phishes, Spammers are major threats to our information system. The study found that the majority of people who committed the sabotage were IT workers who displayed characteristics including arguing with co-workers, being paranoid and disgruntled, coming to work late, and exhibiting poor overall work performance. Of the cybercriminals 86% were in technical positions and 90% had administrator or privileged access to company systems. Most committed the crimes after their employment was terminated but 41% sabotaged systems while they were still employees at the company.Natural Calamities like Storms, tornados, floods can cause extensive damage to our information system.

Information Security Incidents: Information security incidents can cause disruption to organizational routines and processes, decrease in shareholder value, loss of privacy, loss of competitive advantage, reputational damage causing brand devaluation, loss of confidence in IT, expenditure on information security assets for data damaged, stolen, corrupted or lost in incidents, reduced profitability, injury or loss of life if safety-critical systems fail.

Few Basic Questions:

• Do we have IT Security policy?

• Have we ever analyzed threats/risk to our IT activities and infrastructure?

• Are we ready for any natural calamities like flood, earthquake etc?

• Are all our assets secured?

• Are we confident that our IT-Infrastructure/Network is secure?

• Is our business data safe?

• Is IP telephone network secure?

• Do we configure or maintain application security features?

• Do we have segregated network environment for Application development, testing and production server?

• Are office coordinators trained for any physical security out-break?

• Do we have control over software /information distribution?

Introduction to ISO 27001:In business having the correct information to the authorized person at the right time can make the difference between profit and loss, success and failure.

There are three aspects of information security:

Confidentiality: Protecting information from unauthorized disclosure, perhaps to a competitor or to press.

Integrity: Protecting information from unauthorized modification, and ensuring that information, such as price list, is accurate and complete

Availability: Ensuring information is available when you need it. Ensuring the confidentiality, integrity and availability of information is essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image and branding.

Information Security Management System (ISMS): This is the part of overall management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

About ISO 27001:- A leading international standard for information security management. More than 12,000 organizations worldwide certified against this standard. Its purpose is to protect the confidentiality, integrity and availability of information.Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls. It does not focus only on information technology but also on other important assets at the organization. It focuses on all business processes and business assets. Information may or may not be related to information technology & may or may not be in a digital form. It is first published as department of Trade and Industry (DTI) Code of Practice in UK known as BS 7799.ISO 27001 has 2 Parts ISO/IEC 27002 & ISO/IEC 27001

ISO / IEC 27002: 2005: It is a code of practice for Information Security Management. It provides best practice guidance. It can be used as required within your business. It is not for certification.

ISO/IEC 27001: 2005:It is used as a basis for certification. It is something Management Program + Risk Management. It has 11 Security Domains, 39 Security Objectives and 133 Controls.

ISO/IEC 27001: The standard contains the following main sections:

 

  • Risk Assessment
  • Security Policy
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, development and maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

 

Benefits of Information Security Management Systems (ISMS):competitive Advantages: Business partners and customers respond favorably to trustworthy companies. Having ISMS will demonstrate maturity and trustworthiness. Some companies will only partner with those who have ISMS. Implementing ISMS can lead to efficiencies in operations, leading to reduced costs of doing business. Companies with ISMS may be able to compete on pricing also.

Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). ISO 27001 standard meets the statutory or regulatory compliance. Information assets are very important and valuable to any organization. Confidence of shareholders, business partner, customers should be developed in the Information Technology of the organization to take business advantages. ISO 27001 certification shows that Information assets are well managed keeping into consideration the security, confidentiality and availability aspects of the information assets.

Instituting ISMS:Information Security -Management Challenge or Technical Issue? Information security must be seen as a management and business challenge, not simply as a technical issue to be handed over to experts. To keep your business secure, you must understand both the problems and the solutions. To institute ISMS management play 80% role and 20% responsibility of technology system.

Beginning: – Before beginning to institute ISMS you need to get approval from Management/Stake Holders. You have to see whether you are attempting to do it for whole organization or just a part. You must assemble a team of stakeholders and skilled professionals. You may choose to supplement the team with consultants with implementation experience.

ISMS (ISO 27001) Certification: An independent verification by third party of the information security assurance of the organization based on ISO 27001:2005 standards.

Pre-Certification: Stage 1 – Documentation Audit

Stage 2 – Implementation Audit

Post- certification: Continuing Surveillance for 2 years 3rd-Year Re-assessment/Recertification

Conclusion: Prior to implementation of management system for Information Security controls, organization does have various securities control over information system.These security controls tend to somewhat disorganized and disjointed. Information, being a very critical asset to any organization needs to be well protected from being leaked or hacked out. ISO/IEC 27001 is a standard for Information security management system (ISMS) that ensures well managed processes are being adapted for information security. Implementation of ISMS lead to efficiencies in operations leading to reduced costs of doing business.

What Is Information Literacy?

Information literacy is the ability to find the information that we need and use that information. This need could be getting information about different courses that the universities offer or selecting the right tour operator for our next vacation. We make numerous trivial decisions everyday and some important ones now and then, like finding the right car or choosing the correct insurance policy. To make the right decision, or more importantly, to make the most beneficial decision, we need to gather all the relevant information before we can analyze the information and make a decision. Therefore, essentially, all the tasks that fall between identifying the information need and using the information that we find to make a decision fall under the scope of information literacy.

So how do we know if we are information literate? An information literate person can:

· Define the problem: That is we can recognize what the problem is and put that in words. Based on this problem, we can define the information that we need. For example, we wish to travel to Europe. We will want to know – the best time to travel, the average cost of travel, the places we want to visit, and so on. Defining all this is the first step in identifying the information need.

· How to get the information: After we define the information that we want to make the decision, we must then identify the sources of information. These sources could be people who have been to Europe, some tour operators, web sites, and so on. An information literate person at this point will create a strategy for finding the relevant information by identifying the most useful and relevant information sources.

· Where to get the information: Now, we know what information we need and how we can find this information. The third step is to find these information sources. We will know people who have travelled to Europe in our community. In current times, we can use the social networking web sites to find people who have been to Europe to hear their first-hand accounts and experiences. Other than these people, we can look up government tourism web sites to get most of the information.

· Is everything true? People are generally truthful about narrating their experiences, but these could be biased for any number of reasons; we all don’t have the same likes and dislikes. There is a lot of information online, but then not everything we read is true. My point? We can define the information need and get the information too; however, we also need the ability to evaluate critically the information we have. For example, the ability to separate a commercial sales pitch from genuine information.

· Using the information: Whew! This has been a long journey and we have all the ingredients ready. But, it is all in bits and pieces. We still need to assemble all of this information in a way that will help us make that decision about the tour. Define priorities perhaps? Decision based on the variables that we defined in the first step.

Information literacy is not new. It is just that we have a lot of information available and need to be aware of ways to look systematically for the information if we do not wish to drown in this ocean of information. Constantly evolving technology and ways of communication make the task more difficult. So, next time you are looking for information, keep these steps in mind before you dive in the World Wide Web.

Technical writers present information to their readers by identifying readers’ information need. Presenting only the relevant information forms the core of their job. Therefore, this is one skill that technical communicators must master reduce the effort readers have to put-in to use the information. Please visit my blog to know why information literacy is more important for technical writers and what do employers think about these skills when they are hiring a technical writer.