A Brief Introduction to Information Security
July 7, 2008
Let us start with a definition:
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. (ISO 17799:2005)
Security is not a one-time effort; it is a process of continual improvement:
 |
Availability – Information is no longer available when required Integrity – Information is corrupted/incomplete and no longer reliable Confidentiality – Information is disclosed to unauthorised people |
Focusing on maturing the state of security based on business requirements:
 |
Awareness & Communication – responsibility to protect information Policies, Plans & Procedures - risk, projects, change, incidents Tools & Automation – patching, hardening, incident repulsion Skills & Expertise – training to identify security incidents Responsibility & Accountability – adequate governance and roles Goal Setting & Measurement – security reporting/metrics |
To mitigate the risk of harmful events to acceptable levels:
 |
Competitive disadvantage – unauthorised disclosure to a competitor Loss of business – client expectations for security are not met Reputational damage – security incident results in brand damage Fraud – funds improperly diverted without detection or audit trail Faulty management decisions - inaccurate management information Legal liability - security incident in breach of regulation/contract Poor morale – security incident affects employee morale/motivation Operational disruption - unavailability of systems/applications Safety – incorrect personnel records may place employees at risk Privacy breach – employee/client may suffer identity theft |
Effective information security requires the involvement of all employees:
 |
Board Be aware of security exposure and monitor programme performance Executive Mandate a security culture and direct a risk managed approach Manager Understand and reduce security risks to an acceptable level Employee Comply with security policy and report security incidents appropriately |
