Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.
Information security is characterized here as the preservation of:
a) confidentiality: ensuring that information is accessible only to those authorized to
have access;
b) integrity: safeguarding the accuracy and completeness of information and processing
methods;
c) availability: ensuring that authorized users have access to information and associated
assets when required.
Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.
Why information security is needed
Information and the supporting processes, systems and networks are important bus iness assets. Confidentiality, integrity and availability of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. Increasingly, organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated.
Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control. The trend to distributed computing has weakened the effectiveness of central, specialist control. Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management needs, as a minimum, participation by all employees in the organization. It may also require participation from suppliers, customers or shareholders. Specialist advice from outside organizations may also be needed.
Information security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage.
How to establish security requirements
It is essential that an organization identifies its security requirements. There are three main sources.
The first source is derived from assessing risks to the organization. Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
The second source is the legal, statutory, regulatory and contractual requirements that an
organization, its trading partners, contractors and service providers have to satisfy.
The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.
Assessing security risks
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniq ues can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful.
Risk assessment is systematic consideration of:
a) the business harm likely to result from a security failure, taking into account the
potential consequences of a loss of confidentiality, integrity or availability of the
information and other assets;
b) the realistic likelihood of such a failure occurring in the light of prevailing threats
and vulnerabilities, and the controls currently implemented.
The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
It is important to carry out periodic reviews of security risks and implemented controls to:
a) take account of changes to business requirements and priorities;
b) consider new threats and vulnerabilities;
c) confirm that controls remain effective and appropriate.
Reviews should be performed at different levels of depth depending on the results of previous assessments and the changing levels of risk that management is prepared to accept. Risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks.
Selecting controls
Once security requirements have been identified, controls should be selected and
implemented to ensure risks are reduced to an acceptable level. Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific needs as appropriate. There are many different ways of managing risks and this document provides examples of common approaches. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organizations. As an example, 8.1.4 describes how duties may be segregated to prevent fraud and error. It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary.
Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account.
Some of the controls in this document can be considered as guiding principles for information security management and applicable for most organizations. They are explained in more detail below under the heading “Information security starting point”.
Information security starting point
A number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practice for information security.
Controls considered to be essential to an organization from a legislative point of view include:
a) data protection and privacy of personal information
b) safeguarding of organizational records
c) intellectual property rights
Controls considered to be common best practice for information security include:
a) information security policy document
b) allocation of information security responsibilities
c) information security education and training
d) reporting security incidents
e) business continuity management
These controls apply to most organizations and in most environments. It should be noted that although all controls in this document are important, the relevance of any control should be determined in the light of the specific risks an organization is facing. Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a risk assessment.
Critical success factors
Experience has shown that the following factors are often critical to the successful
implementation of information security within an organization:
a) security policy, objectives and activities that reflect business objectives;
b) an approach to implementing security that is consistent with the organizational
culture;
c) visible support and commitment from management;
d) a good understanding of the security requirements, risk assessment and risk
management;
e) effective marketing of security to all managers and employees;
f) distribution of guidance on information security policy and standards to all
employees and contractors;
g) providing appropriate training and education;
h) a comprehensive and balanced system of measurement which is used to evaluate
performance in information security management and feedback suggestions for
improvement.
Developing your own guidelines
This code of practice may be regarded as a starting point for developing organization specific guidance. Not all of the guidance and controls in this code of practice may be applicable.
Furthermore, additional controls not included in this document may be required. When this happens it may be useful to retain cross-references which will facilitate compliance checking by auditors and business partners.
affluenthr |
