get value from processes and systems  
    
 Home What We Know Who We Know Know Us
Articles / Information security

Information security covers a much wider scope than most people imagine.  Is your view of the iceberg or just the tip.

What is Information Security?

Most people, when they hear the term “information security”, usually focus on single events like website hacking, procuring credit card details, email viruses or the like.  Most people immediately think of some incident in which they thems elves were the victim.

The fact is that these are only the tips of the information security iceberg. To fully appreciate the importance and scope of information security we need to widen our view considerably.  Information security is more than just IT security. The focus of information security is not on the security of an organisation’s IT operations per se, but on the organisation’s ‘Information Assets’.

Information assets’ can be a variety of items such as;

  • business records

  • client and contact databases

  • personnel information

  • financial records and transactions

  • information databases

  • e-commerce transaction details

Most people underrate information security because they don’t see it from this wider perspective.  Information security covers the whole of an organisation’s information.

How should I think of information security?

There are three letters to remember when thinking of information security; they are C I A.  This has nothing to do with men in black suits. CIA stands for Confidentiality, Integrity and Availability, the three main checklist items when considering information security.  Try them now:

Confidentiality.  Can you guarantee that your confidential information will remain confidential or is it open to compromise by unauthorised persons gaining access to it?  This access does not have to be deliberate or malicious, it could occur accidentally because you have provided insufficient control over its access.  Regardless of the intent, the impact can be just as devastating to a business.

Integrity. Can you guarantee that all your information will remain free from unauthorised change so that it can always be relied upon for accuracy.  Again, this does not have to be deliberate.  Without adequate control, well-meaning but unauthorised staff can alter data without malicious intent.

Availability. Can you guarantee that your information (whether confidential or not) will always be available to those who need it, when they need it.  There are few things more disruptive to business than for the staff being unable to access the computer system for a period.

This last point raises the unpopular twin spectres of Business Continuity and Disaster Recovery. What if your entire premises are destroyed?  What are the critical parts of your business activities? How long would it take to reconstruct your entire IT infrastructure on another site?  What resources would you need to do it?  What critical systems would you need first, what systems can wait?  You need a plan which enables your staff to quickly assess damage, and institute a planned recovery process.  This process may go as far as the establishment of a mirror site where critical IT resources are duplicated.

It is common to view this scenario as an 'acceptable risk', that is, it can’t happen to me.  It will continue to be viewed as an acceptable risk – that is, until it happens.  Then it is an unacceptable risk. But too late!

The CIA principles should guide your thinking about information security.  Remember that a security breach need not be a malicious act; it could be as innocent and simple as a power outage or a failure to set network access privileges correctly, or it could be the total loss of all your facilities through a disastrous event, natural or unnatural.

What do I do about it?

The only defence you have against such events is to:

Deter.  Have in place the means to avoid or prevent the occurrence of preventable information security breaches.

Protect.  Be in  a position to safeguard your information assets from security breaches.

Detect.  Equip yourself to rapidly detect the occurrence of security breaches.

Respond. Be ready to react to rapidly overcome the effects of security breaches.

Recover. Be able to restore the integrity, availability and confidentiality of information assets to their expected state.

Was it Edsel Murphy who said, “There is a standard for every endeavour except the one you are engaged in”?  Well, the good news is that there are several standards for information security management (mainly AS/NZS 4444.2:2000). But the bad news is that, like most standards, these are too brief and all-inclusive to be of any practical use.  They need a lot of interpretation according to the type of organisation and the scope of its activities.

How do us mere mortals interpret the standards?  Fortunately, the NSW State Government has, through its Office of Information Technology (OIT), has published a set of Guidelines for Information Security.  These documents mirror the standard and present it in the form of practical guidelines for their implementation in NSW State Government departments. 

The Information Security Guidelines documents are presented in three parts:

Information Security Part 1 - Risk Management.  This document is a guide to the process of looking at your information assets, assessing their importance to your organisation and the risks involved.

Information Security Part 2 - Examples of Threats and Vulnerabilities. This document lists security vulnerabilities under the headings of Natural Disasters, Environmental Conditions, Deliberate Threats and Accidental Threats.  The document lists 38 threats ranging from vermin attack to malicious destruction of data and facilities.

Information Security Part 3 - Baseline Controls. This document approaches the issue of security management by establishing a series of controls or measures which you can implement to help your organisation understand and deal with security issues.

You can download these three documents in pdf form from the OIT website at http://www.oit.nsw.gov.au/pages/4.3.Guidelines.htm

You don’t have to be a Government department to take advantage of the work of the OIT.  These guidelines are in the public domain and conveniently ‘unpack’ the standard into terms that you can understand.

What is the solution?

The three most positive steps you can take are:

  • read the OIT guidelines and take a long hard look at your information assets and their security vulnerabilities;

  • commit to a program of developing, documenting and implementing a set of information security policies and procedures based on the baseline of the OIT guideline Part 3;

  •  implement these policies and procedures throughout your organisation and commit to a program of review and improvement to refine the policies and procedures.

The successful completion of these three steps will enable you to prevent most security breaches and be prepared to deal with, and recover from, those that you can’t prevent.

The dangers of generic documentation

Finally beware of wolves in sheep’s clothing.  There are those who will offer you a packaged generic set of security policies and procedures.  No two organisations are the same and the generic approach severely undervalues the benefits of working through these issues yourself and developing your own documentation.

Popular articles
Channels model
Customer supplier map
Knowledge management primer
Use roles to aid reorganisation

More 
Further material on hiring a technical writer, business analyst or instructional designer from our sister company
Legals
© Realisation 1981-2006