The success of an information security program depends on the policy produced and on the attitude of company management toward securing information technology (IT) systems. The policy framework helps ensure that all aspects of information security are considered and controls are developed. As a policymaker, it’s up to you to set the tone and the emphasis on the importance of information security.
The proliferation of technology has revolutionized the ways information resources are managed and controlled. Long gone are the days of the “glass house,” full of mainframe computers under tight centralized control. Internal controls from yesteryear are inadequate in controlling today’s decentralized information systems. Relying on poorly controlled information systems brings serious consequences, including:
To avoid these consequences, risk management approaches are needed. Risk is an accepted part of doing business. Risk management is the process of reducing risk to an acceptable level. You can reduce or eliminate risk by modifying operations or by employing control mechanisms.
The dollars spent for security measures to control or contain losses should never be more than the estimated dollar loss if something goes wrong. Balancing reduced risk with the costs of implementing controls results in cost-effective security. The greater the value of information assets, or the more severe the consequences if something goes wrong, the greater the need for control measures to protect it.
Maintaining the confidentiality of information is critical to many organizations in the age of knowledge workers. When you consider the economic activity of the world’s more advanced nations, most of the productive output of workers is information, rather than the widgets of yesterday. Consider two examples:
The demands for timely and voluminous information are increasing. One major protection issue is the availability of information resources. In some cases, service disruptions of even a few hours are unacceptable. Think about how much revenue Amazon or eBay loses for every hour of downtime. Reliance on essential systems requires a plan for restoring systems in the event of disruption. Organizations must first assess the potential consequences of an inability to provide their services and then create a plan to assure availability.
If information is modified by any means other than the intentional actions of an authorized user or business process, it could spell disaster for the business. This underscores the importance of integrity controls, which prevent the inadvertent or malicious modification of information. Consider, for example, a product-testing firm that spends many hours testing the optimal settings for a piece of safety equipment used in factories. If a power surge alters the data stored in the testing database, the company might use the incorrect data to recommend equipment settings, jeopardizing the safety of factory workers.
In addition to unauthorized modification of information, security controls should also protect against the outright destruction of information, whether intentional or accidental. The most common control used to protect against this type of attack is the system backup. By storing copies of data on backup tapes or other media, the company has a fallback option in the event data is destroyed. Consider the case of an insurance company that stores policy information on servers in a data center. If that data center is destroyed by fire, off-site backup tapes can be used to re-create it. Without those backup tapes, the company would have no way of knowing which policies it had issued, putting the entire business in jeopardy.