Vital role in business
The technology plays a vital role in business. Over the years businesses have become dependent on technology so much. if we were to take away that technology virtually all business operations around the world globe would come to a grinding stop. Almost all businesses and industries around the world are using computers ranging from the most basic to the most complex of operations.
Information security does not concern larger organizations and their IT department but increasingly it affects all users of information in every business every single day and a significant number of information security incidents occur.
The usefulness of information technology in businesses organizations is evident in the continued and radical technological improvements. Organizations benefit from linking the various organizational functions with the aid of I.T. e.g. for a manufacturing company linking procurement with the production department is a vital requirement as these functions need to be matched to reduce the risk of overstocking. Similarly, marketing and sales effort can be targeted according to the needs and demands of the target market. This can be achieved by using the database management techniques.
Management can also benefit from the effectiveness of I.T by being able to make informed decisions relating to the company and the market. Techniques such as data mining, data warehousing and decision support systems have added a new dimension to risk reduction and effectiveness in the planning process. So I.T is no longer a stand alone function of the organization, instead it has become the backbone of the overall structure. It not only supports other functions but also aids efficiency and effectiveness in carrying them out with ease.
Since it is a vital function in any organization, it is imperative to have the safeguards in place to deal with the security issues posed to the I.T and Information systems. Knowledge of dangers and threats can be an effective safeguard; as such knowledge can often prevent a potential problem from escalating into a major incident.
How can organizations deal with the information security issues?
Threats are always present, and the rate of threat occurrence can not be controlled. IT security safeguards, therefore, must be designed to prevent or minimize any impact on the affected IT system.
Deploying a range of safeguards which are adequate to prevent loss, theft, destruction, corruption, tampering, copying, deletion, modification of data and information etc. Threats may exploit or act through a vulnerability to adversely affect the IT system. Safeguards are used to mitigate or eliminate vulnerabilities.
Being alert for and responding to incidents so that their impact is reduced by appropriate countermeasures and controls which are the procedures and techniques used to prevent the occurrence of a security incident, detect when an incident is occurring or has occurred, and provide the capability to respond to or recover from a security incident. A safeguard may be a password for a user, a backup that provides for offsite storage of copies of critical files, audit trails that allow association of specific actions to individuals, or any of a number of other technical or procedural techniques.
Assessing the damage, identifying the source of breach, repairing and correcting it. Recovering as quickly as possible, evaluating the breach, reviewing and updating information security safeguards to reduce waste, fraud, and abuse due to a breakdown in IT security.
In order to achieve this it is necessary to establish a formal structure for managing Information security within an authorised framework. Individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems, or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards such as user identifiers, audit trails, and access authorization rules.
Useful tools to combat I.T. Security
Firewalls and Separation of Duties - Firewalls and separation of duties have similar structures and complementary objectives: a firewall is a technical safeguard that provides separation between activities, systems, or system components so that a security failure or weakness in one is contained and has no impact on other activities or systems (e.g., enforcing separation of the Internet from a Local Area Network). Separation of duties similarly provides separation, but its objective is to ensure that no single individual (acting alone) can compromise an application. In both cases, procedural and technical safeguards are used to enforce a basic security policy that high risk activities should be segregated from low risk activities and that one person should not be able to compromise a system.
Quality Assurance/Quality Control - Quality Assurance and Quality Control are two processes that are used to ensure the consistency and integrity of security safeguards. Specifically, these processes are intended to ensure that security countermeasures perform as specified, under all workload and operating conditions.
Security Training - Security training is the sum of the processes used to impart the body of knowledge associated with IT security to those who use, maintain, develop, or manage IT systems. A well trained staff can often compensate for weak technical and procedural safeguards. Security training has been demonstrated to have the greatest return on investment of any technical or procedural IT security safeguard.
Zoning/Compartmenting - Zoning/Compartmenting is a concept whereby an application is segmented into independent security environments. A breach of security would require a security failure in two or more zones/compartments before the application is compromised. This layered approach to security can be applied within physical or technical environments associated with an IT system.
Many IT security incidents are preventable if individuals incorporate three basic concepts into their day-to-day activities:
one, awareness - individuals should be aware of the value of the assets they use to do their job and the nature of associated threats and vulnerabilities; two, compliance - individuals should comply with established safeguards (e.g. scanning diskettes, changing passwords, performing backups); and three, common sense - if something appears too good to be true, it generally is.
IT security safeguards are intended to achieve specific control objectives. These objectives are contained within security policies that should be tailored to the needs of each IT system. IT security procedures may be documented in a security plan. The level of security implemented would be determined by the importance and sensitivity of the information maintained by the organization, since some high level security measures are very expensive to implement and may not be required for a normal database and I.T function however, some of the basic security policies are required for every organization.