Compulsory Cost-effective Controls |
by Mr. Julian Curmi B.Sc. ACIB CISA CISSP - Information Security Officer |
Confidentiality is the assurance that information is not disclosed to unauthorised individuals or processes.
Integrity is ensuring that information retains its original level of accuracy.
Availability is the timely, reliable access to data and information services to authorised users.
Authenticity and nonrepudiation is the assurance that business transactions as well as information exchanges between enterprise locations or with partners may be trusted.
Confidentiality
Information requires protection from unauthorised disclosure. It deals with controlling who gets to read information in computer data and program files or information that may be on hard copy, for example, traditional files, documents etc.
Confidentiality access control models deal with who may access what data in a computer system. Privacy, sensitivity, and secrecy are the issues here. Examples include the protection of personnel (financial, medical, legal) data, marketing or business plans, product announcements, product formulae, and manufacturing and process development techniques.
Integrity
Information must be accurate and complete, and requires protection from unauthorised, unanticipated or unintentional modification. It also deals with ensuring that computer programs are changed in a specified and authorised manner.
The more commonly agreed-upon objectives of integrity include:
• ensuring the consistency of data values within a computer system;
• recovering to a known consistent state in the event of a system failure;
• ensuring that data is modified only in authorised ways, whether by users or by the system;
• maintaining consistency between information internal to the computer system and the realities of the outside world. Integrity access control models deal with not only who may access what data but also how and when the data is accessed, that is accountability.
Availability
Information must be available on a timely basis, wherever it is needed, to meet business requirements or to avoid substantial losses. It deals with assuring that system users have uninterrupted access to information and system resources such as data, programs, and equipment.
Authentication and nonrepudiation
Authentication is the process of recognising/verifying valid users or processes and what system resources a user or process is allowed to access. Nonrepudiation provides the assurance to senders or receivers that an exchange between the two cannot subsequently be denied by either.
So why is there need for information security?
Information and the supporting processes, systems and networks are important business assets. However, at the same time, organisation and their information systems and networks are continually faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become common since the advent of internet.
Dependence on information systems and services means organisations are more vulnerable to security threats. Therefore, assuring that the confidentiality, integrity and the availability of information is essential if it is to maintain a sustainable competitive advantage over competitors or remain in business for that matter.
The realisation that one's own employees are usually the biggest danger to an organisation's information technology system, often through lack of awareness and training, has prompted organisations around the world to start up comprehensive information security awareness programmes. This human dimension of information security cannot totally be solved by technical and procedural measures - regardless of how good these measures are.
Internal fraud remains a real risk. A global fraud survey found that employees, who were either acting alone or in collusion with third parties, perpetrated 82 per cent of the worst incidents of fraud.
A culture of information security must be created within an organisation such that a human firewall is created based on everyone's awareness of his or her individual information security responsibilities.
This is why information security awareness has evolved into corporate information security plans and a policy, starting from the moment an employee is taken on board.
Organisations are being challenged to make information security a way of life, because without such an information security culture they may remain exposed.
Information security best practices
The establishment of international best practices for information security management has enabled organisations to be certain that they are addressing all the main points of information security. Best practices have become a framework for information security management. Rather than reinventing the wheel, organisations may now adopt a framework that has been tried and tested.
The MSA ISO/IEC 17799:2000 framework, formerly BS 7799, has been adopted by the international standards organisation as the official standard for information security management. The Malta Standards Authority has adopted this standard as the official Maltese standard.
The standard provides a set of recommendations to initiate, implement and maintain adequate information security within an organisation. Recommendations from this standard should be adopted in accordance with the applicable laws, regulations, but more importantly based on the perceived risks to the organisation.
The main components of this framework are: development of an information security policy; organisational security; asset classification and control; personnel security; physical environmental security; communications and operations management; logical access control; systems development and maintenance; business continuity management and compliance.
To ensure that the perceived risks are managed effectively, a comprehensive risk-assessment programme must be in place. It must assess the risk to the confidentiality, integrity and availability of information, as well as the known vulnerabilities from new systems and software.
To be effective, the process should be ongoing, recommend sensible countermeasures and controls that mitigate the perceived risks to manageable levels.
Information security policies
It is important that an organisation has a complete suite of information security policies that forms part of its overall information security governance framework - standards and guidelines that are applicable to all employees, regardless of position or grade. They are necessary to provide the guidance and foundation for good security practice. In order to be effective, they must be realistic based on risk assessment of the perceived risks that could undermine information security within the organisation. If the security policies attempt to achieve unrealistic controls within an organisation, they become worthless and unenforceable. They could stifle new and innovative ideas that support the business initiative of the organisation. If they are difficult to understand or are deemed to be too complex, they will be ignored or misunderstood.
A high-level policy document, endorsed by senior staff, provides fundamental guidance in matters relating to information security. This document will show all staff that the subject has support at the highest level within the organisation. Other, more specific documentation (standards and guidelines) will provide additional detail for other aspects of information security and the associated risks, that however must be periodically reviewed in order to keep up to date with the dynamics of technology.
Once information security policies are in place, the big question may then have to be answered - are staff reading and understanding the policies in place? A comprehensive automated programme should be in place that will be the basis of a computer-based training and competency testing. Periodically, all employees will be required to answer a series of questions that test their knowledge regarding information security related to their responsibilities. Only then may management be assured of the fact that all employees are aware and knowledgeable about their information security responsibilities.
Although information technology is so dynamic, the basic information security principles have not changed that much. It is essential, however, that information security and risk assessment is an ongoing process that should be regularly reviewed and updated to take into account the inevitable changes in technology. The controls that are chosen to mitigate the perceived risks to information security should be cost effective such that a balance is struck, so as not to hinder the achievement of business objectives and at the same time management is assured of a proactive and reliable information security management framework.
| |||||||||||||||||||
| |||||||||||||||||||
|
| About Us | Copyright | Privacy Policy | Terms of Use | Contact Us | Bookmark Us | Site Map | IP Locator |
| ||||||||||||
|
|
|
| |||||||||||
|
| |||||||||||||
|
|
|
| |||||||||||
