A Case for Information Security

 

In today's world the information superhighway is to industry as the railroad was during the 19th century.  It is essential for companies to preserve vital records and continued communications systems, regardless of all contingencies -- human error, political upheaval, terrorism, employee sabotage or natural disaster. 

Equally important in today's world is monitoring access to automation or telecommunications devices.  The theft of information and denial of service can be incredibly costly and destructive. Preserving the privacy of business communications is not only a necessity, but an absolute responsibility.  Due diligence requires no less. 

Information security is not a one-time project nor is technology the total solution.  Information security is an ongoing function which requires top management support.  Policies, procedures and controls may have little or no value if employees do not know of their existence nor understand the true meaning and purpose of those controls and policies.  A “perfect” security architecture will rapidly deteriorate without an ongoing employee security awareness program.  Like the "Loose lips sink ships" security awareness campaign of WWII, even a small exposure to security issues for employees goes a long way towards protecting corporate information. 

Business entities have grown from independent computer systems with their applications isolated from the world, to integrated systems crossing a large variety of computer platforms connected via high speed telecommunications links worldwide.  Businesses which used to trade sensitive information did so on paper via the mail systems.  Now, however, inter-company and intra-company communications is largely electronic and requires specific security considerations.  

Employees who once had access to a local computer system via a dumb terminal, can now access not only corporate data on any number of computer platforms via either LANs, WANs, PDA’s or dial-up also generally have access to the World-Wide-Web, or the internet.  These new technologies and ease of access to all sorts and  sources of information also brings with it a multitude of new exposures to corporate information security.  These exposures have created an entirely new spectrum of threats to the corporation.  Information access is easier.  The dissemination of information is infinitely faster via electronic communications than the existing paper based record systems.  Information moves faster.  Information becomes more difficult to control. 

Windows/NT (NT) is considered a secure and stable platform if the proper security measures are put into place.  Although there may still be some minor bugs in the NT operating system, there is no question that if the proper security steps are taken and the proper security precautions taken,  sensitive information will be protected from unauthorized disclosure, modification or deletion. 

ISO 17799[1] specifies aspects of an effective information protection program suitable to the needs of business and industry. Protection in ISO 17799 is based on assuring integrity, availability, and confidentiality of corporate information assets. Assurance is attained through controls that management creates and maintains within the organization. Ten of the controls are considered "Key Controls"   because they are either legislatively required or considered fundamental building blocks. Key controls are considered central to a successful program.

It is our intention to create a secure environment for your information while at the same time not negatively impacting the business needs of its employees and/or contractors.

 

"Security Technology does not equal a Security Program"[2]

 

10 Key Controls

§         Information security policy document

A written policy document should be available to all employees responsible for information security.

 

§         Allocation of information security responsibilities

Responsibilities for the protection of individual assets and for carrying out specific security processes should be explicitly defined.

 

§         Information security education and training

Users should be given adequate security education and technical training.

 

§         Reporting of security incidents

Security incidents should be reported through management channels as quickly as possible.

 

§         Virus controls

Virus detection and prevention measures and appropriate user awareness procedures should be implemented.

 

§         Business continuity planning process

There should be a managed process in place for developing and maintaining business continuity plans across the organization.

 

§         Control of proprietary software copying

Attention is drawn to the legal restrictions on the use of copyright material.

 

§         Safeguarding of organizational records

Important records of an organization should be protected from loss, destruction and falsification.

 

§         Data protection

Applications handling personal data on individuals should comply with data protection legislation and principles.

 

§         Compliance with security policy

All areas within the organization should be considered for regular review to ensure compliance with security policies and standards.