What is the best approach to provide security?

The best way of providing information security
is to use a well-tried and tested approach to
meet your own specific security requirements.
This will ensure that you concentrate on the
important areas.

The British Standard, BS 7799, helps
businesses implement best practice in
information security management. Part 1 of
this standard is a code of practice. It was
originally published in 1995 and revised in
1999. It then became an international standard
ISO/IEC 17799 in 2000. This standard provides
a comprehensive set of security controls
comprising the best information security
practices in current use by organisations across
the world and in all market sectors. Its
objectives are to provide organisations with a
common basis for information security and to
enable information to be shared between
organisations.

• Design the management system fo protecting your information. This sets the policy and objectives of information security, assesses your security risks, evaluates the options for treating the risks, and selects controls from ISO/IEC 17799 to reduce the identified risks to an acceptable level. Spending on controls should be balanced against the value of the information and other assets at risk, and the implications of these risks for your business.
• Implement the management system by putting into practice the selected controls to manage the identified risks. This includes implementing suitable procedures, providing appropriate awareness and training, assigning roles and responsibilities and deploying any necessary technical controls.
• Monitor and review the management system to check it is still ‘fit for purpose’ to manage the risks the business faces. This includes monitoring how effective the controls are at managing the risks, re-assessing the risks taking account of any changes to the business, and reviewing policies and procedures.
• Update and improve the management system to implement changes to existing controls as well as putting into practice new controls to ensure it is maintained as ‘fit for purpose’. Both ISO/IEC 17799 and BS 7799 Part 2 can be used by any size of business in any sector, with any type of information system, whether manual or computerised.
  

Why information security is important?

Information is an essential resource for all
businesses today; it can be the key to growth
and success.

Sharing information is an increasing
business activity. Your information is a key
business asset that is very valuable. Its
availability, integrity, and confidentiality may
be critical for the continued success of your
organisation. Your security can be breached
in a number of ways, for example by system
failure, theft, inappropriate usage,
unauthorised access or computer viruses.

The impact of an information security breach
may be far greater than you would expect.
Not only will the loss of sensitive or critical
business information directly affect your
competitiveness and cash flow, it could also
damage your reputation and have a long-term
detrimental effect. It might take an
organisation ten years to establish its
reputation and image as a trustworthy and
reliable business but a security breach could
destroy this in a matter of hours.

Information also needs to be protected if you
share it with other organisations.
For many businesses, the Internet has
replaced traditional paper based ways of
exchanging information. It has enabled
information to be sent and received faster,
more frequently and in greater volume –
not just simple text but also multimedia.
Today it is quite common for companies to
use the Internet for exchanging information
and for e-commerce.

The Internet brings its own security issues
which businesses need to consider.
We automatically protect our house and
valuables from unauthorized entry, theft
and damage.

What information should be protected?

You should protect all information that is sensitive, critical or is of commercial value to your organisation. Information can exist in many forms. It can be:

• printed or written on paper
• stored electronically
• transmitted by post or using electronic means
• stored on tape or video
• spoken in conversation.

three aspects of information

CONFIDENTIALITY

Protecting information from unauthorised
disclosure, perhaps to a competitor or to the
press.

INTEGRITY

Protecting information from unauthorised
modification, and ensuring that information,
such as a price list, is accurate and complete.

AVAILABILITY

Ensuring information is available when you
need it.
Ensuring the confidentiality, integrity and
availability of information is essential to
maintain competitive edge, cash flow,
profitability, legal compliance and
commercial image and branding.

Information security means better business

The challenge now for senior security specialists is to develop an ongoing dialogue with the board about the importance of information security in the context of organisational goals.

Information is the engine of global enterprise, and fit-for-purpose information security is fundamental to managing global enterprise risk. The regulatory environment, especially the requirements of Sarbanes-Oxley, has pushed security onto the board's agenda.

Security standards and frameworks, such as the international standard ISO 17799, are increasingly being adopted by third parties and business partners as proof of security credentials.

Users are waking up to security rights and expectations, causing public-facing organisations to tighten privacy policies. And the commercial imperative for information security is gaining momentum as more companies outsource or offshore operations and demand full mobility of their staff.

Organisations that are the most effective at information security tend to demonstrate three characteristics.

First, they are driven by results rather than activity.

Second, they earn credibility by candidly educating company management about security risks and basing their security investment on realistic assessments of risk.

Third, they are committed to independent standards and to measuring their departments' compliance with those standards.

Recognising that security should form part of overall business risk management, many organisations are now structuring and managing information security as part of operational risk management.

In other cases, it is seen as part of corporate security management which deals not only with physical threats, but also problems such as brand fraud.

Information security should, of course, have in place a framework for responding to incidents and threats. But it must also be prepared to take longer-term action to proactively defend the business against future threats and enable it to take full advantage of changing business opportunities.

Ultimately, a company's information security must be effectively integrated and aligned with the corporate strategy, objectives, business structure and style.

But to get that prize, security professionals must speak the business language and persuasively make the business case for the tan­gible and strategic dividends that strong security can undoubtedly provide in this global environment.