).
Copyright HCi Consulting,
2001-3.By Ron Byrne
Information security covers a much wider scope than most people imagine. Is your view of the iceberg or just the tip.
Most people, when they hear the term “information security”, usually focus on single events like website hacking, procuring credit card details, email viruses or the like. Most people immediately think of some incident in which they themselves were the victim.
The fact is that these are only the tips of the information security iceberg. To fully appreciate the importance and scope of information security we need to widen our view considerably. Information security is more than just IT security. The focus of information security is not on the security of an organisation’s IT operations per se, but on the organisation’s ‘Information Assets’.
Information assets’ can be a variety of items such as;
business records
client and contact databases
personnel information
financial records and transactions
information databases
e-commerce transaction details
Most people underrate information security because they don’t see it from this wider perspective. Information security covers the whole of an organisation’s information.
There are three letters to remember when thinking of information security; they are C I A. This has nothing to do with men in black suits. CIA stands for Confidentiality, Integrity and Availability, the three main checklist items when considering information security. Try them now:
Confidentiality. Can you guarantee that your confidential information will remain confidential or is it open to compromise by unauthorised persons gaining access to it? This access does not have to be deliberate or malicious, it could occur accidentally because you have provided insufficient control over its access. Regardless of the intent, the impact can be just as devastating to a business.
Integrity. Can you guarantee that all your information will remain free from unauthorised change so that it can always be relied upon for accuracy. Again, this does not have to be deliberate. Without adequate control, well-meaning but unauthorised staff can alter data without malicious intent.
Availability. Can you guarantee that your information (whether confidential or not) will always be available to those who need it, when they need it. There are few things more disruptive to business than for the staff being unable to access the computer system for a period.
This last point raises the unpopular twin spectres of Business Continuity and Disaster Recovery. What if your entire premises are destroyed? What are the critical parts of your business activities? How long would it take to reconstruct your entire IT infrastructure on another site? What resources would you need to do it? What critical systems would you need first, what systems can wait? You need a plan which enables your staff to quickly assess damage, and institute a planned recovery process. This process may go as far as the establishment of a mirror site where critical IT resources are duplicated.
It is common to view this scenario as an 'acceptable risk', that is, it can’t happen to me. It will continue to be viewed as an acceptable risk – that is, until it happens. Then it is an unacceptable risk. But too late!
The CIA principles should guide your thinking about information security. Remember that a security breach need not be a malicious act; it could be as innocent and simple as a power outage or a failure to set network access privileges correctly, or it could be the total loss of all your facilities through a disastrous event, natural or unnatural.
The only defence you have against such events is to:
Deter. Have in place the means to avoid or prevent the occurrence of preventable information security breaches.
Protect. Be in a position to safeguard your information assets from security breaches.
Detect. Equip yourself to rapidly detect the occurrence of security breaches.
Respond. Be ready to react to rapidly overcome the effects of security breaches.
Recover.
Be able to restore the integrity, availability and confidentiality of
information assets to their expected state.
Was it Edsel Murphy who said, “There is a standard for every endeavour except the one you are engaged in”? Well, the good news is that there are several standards for information security management (mainly AS/NZS 4444.2:2000). But the bad news is that, like most standards, these are too brief and all-inclusive to be of any practical use. They need a lot of interpretation according to the type of organisation and the scope of its activities.
How do us mere mortals interpret the standards?
Fortunately, the NSW State Government has, through its Office of
Information Technology (OIT), has published a set of Guidelines for
Information Security. These
documents mirror the standard and present it in the form of practical
guidelines for their implementation in NSW State Government departments.
The
Information Security Guidelines documents are presented in three parts:
Information
Security Part 1 - Risk Management.
This document is a guide to the process of looking at your
information assets, assessing their importance to your organisation and
the risks involved.
Information Security Part 2 - Examples of Threats and Vulnerabilities. This document lists security vulnerabilities under the headings of Natural Disasters, Environmental Conditions, Deliberate Threats and Accidental Threats. The document lists 38 threats ranging from vermin attack to malicious destruction of data and facilities.
Information
Security Part 3 - Baseline Controls. This document approaches
the issue of security management by establishing a series of controls or measures which you can implement to help your
organisation understand and deal with security issues.
You can download these three documents in pdf form from the OIT website at http://www.oit.nsw.gov.au/pages/4.3.Guidelines.htm
You don’t have to be a Government department to take advantage of the work of the OIT. These guidelines are in the public domain and conveniently ‘unpack’ the standard into terms that you can understand.
The three most positive steps you can take are:
read the OIT guidelines and take a long hard look at your information assets and their security vulnerabilities;
commit to a program of developing, documenting and implementing a set of information security policies and procedures based on the baseline of the OIT guideline Part 3;
implement these policies and procedures throughout your organisation and commit to a program of review and improvement to refine the policies and procedures.
The successful completion of these three steps will enable you to prevent most security breaches and be prepared to deal with, and recover from, those that you can’t prevent.
Finally beware of wolves in sheep’s clothing. There are those who will offer you a packaged generic set of security policies and procedures. No two organisations are the same and the generic approach severely undervalues the benefits of working through these issues yourself and developing your own documentation.
I can hear you saying, “You must be joking!. We don’t have the time or the resources to do that!”. This is the case with most organisations. Their key personnel are too busy doing what they do to spend the time documenting a set of information security policies and procedures. And yet they are the key people who should be providing input.
The answer is to involve a professional technical writing company that can work with management and staff to develop and document a full set of information security policies and procedures.This article
may be reproduced only with the permission of HCi (email
).
Copyright HCi Consulting,
2001-3.
HCi information development - www.hci.com.au
(technical writing, quality management, knowledge management)