Importance of Information Security - Essay Example

? Importance of Information Security The internet is a global collection of networks accessible by various computerhosts in varied ways. Therefore, organizations and individuals alike could easily access any point of the internet irrespective of the geographic or national boundaries or time. Nonetheless, with this convenience comes a myriad of risks including the risk of having valuable information misused, changed, stolen or lost. Electronically recorded information available in a network becomes more vulnerable than the printed information kept in a file behind a locked cabinet. Malicious persons could tamper or steal the information without touching any piece of the paper and could also modify the files and run own programs without their unauthorized activity being discovered. Information security has been inherently recognized as interdepartmental and interdisciplinary and quickly rising to be inter-organizational. For instance, efficient communication encryption system calls for human resources ideas, management ideas and computer science ideas. In addition, other business partners could be involved. This complexity demands coordination and clear cut roles and responsibilities for organizational units and the involved staff. There are important concepts in as far as information security is concerned, namely; availability, integrity and confidentiality. Unauthorized copying or reading of information leads to loss of confidentiality. Similarly, information in an insecure network could be corrupted resulting in loss of integrity. Loss of availability would result when information has been completely erased and becomes inaccessible (Kissel et al., 2008). Risk analysis and management The maiden step in understanding the risks that an organization’s information security faces would be risk analysis. The aim would be to align the business objectives and security objectives to attain competitive advantage (Pesante, 2008). It would also be inform the organization on its budgetary allocation for security. With the understanding of the net worth of its assets, an organization could estimate the expenditure on protection of these assets. Risk analysis involves the identification of threats, assessment of possible loss so as determine which parts need implementation of information security. Therefore, the first step in information security analysis would be the identification of assets and their respective values. This would mitigate spending much more on security than the value of assets being safeguarded. The major task would be to determine how much a company would incur not to safeguard its assets. The organization would then proceed to identify threats and vulnerabilities for each and every asset. This would include identification of vulnerabilities which could affect the integrity, availability and confidentiality of each asset. These should be properly categorized so as to prioritize each asset against the possible risk with Kissel et al., (2008) indicating hardware, software and personnel as possible categories. The risk assessment team would then identify business impact of these threats by calculating frequencies and probabilities of the vulnerabilities. Finally, countermeasures and solutions would be identified so as to reduce potential threat posed by the identified threats. In order to reap the full benefits of any security policy, Pesante (2008) proposes that all the members of staff of a business unit should be made to fully understand the repercussions of violation such a policy which would expose the organization’s systems to malicious attackers. Revision of the security policy would go a long way in enforcing its effectiveness through a review of critical factors. Of importance would also be to ensure that the contacts for Information Security Office are available to all concerned parties. Implementation of information security policies Information security policy should only be implemented after consensus has been reached. The security policy should be available to all members of staff at any time. The staff should then be educated and the impact of such education reviewed using surveys or any other appropriate methods. Security threat management involves checking on desktop or physical threats. Usage of workstations, access to restricted areas and handling sensitive information should be described. System access would require that staff safeguard their passwords and user IDs; they should be trained on how to create strong passwords. Viruses continue to pose serious threats on business data and would keep evolving to be more sophisticated and devastating. Prevention would be more appropriate as opposed to action after destruction. Antivirus software has to be regularly updated and used in regular system scanning. Freeware and other software from untrustworthy sources should never be installed in the organization’s computer systems. Encryption would also ensure information security. Importance of information security Information security has enabled information reach persons who could be trusted with such through authentication and authorization. Authentication allows for prove of identity of the user using appropriate tools such as passwords, smartcards or biometrics. Authorization comes in handy in determining the authority that a user has in engaging in a particular activity such as running a program. Authentication and authorization work together with authentication preceding authorization. Non repudiation prohibits a user from refuting authentication once an activity has taken place in their name (Kissel et al., 2008). As such, an organization instills responsibility among its employees to ensure information security. The greater proportion of business value banks in its information hence the importance of being critical on information security. Information security should therefore not be considered as an information technology issue but a business issue. According to Pesante (2008), information gives the basis of a business’ competitive advantage. Even in not-for-profit organizations, the increased awareness on power of information and identity theft imposes need for information security in the operations of such organizations. Valuation and protection of information thus constitute the most critical tasks for organizations operating in the modern environment. The value of information security reflects in the cost of securing organizational information. If valuation and protection of information could be easy, then management solutions on information security would be found off-the-shelf. The factors influencing information security are unique in each organization: the personnel, applied information technology and physical location. Similarly, information security has an impact on each behavioral and structural aspect of an organization. Any lapse in either of these aspects could provide an opportunity for information to be stolen. Users of the organizational network, whether internal or external make unique contribution to organizational information security. Conclusion Having defined the roles and responsibilities involved in information security, it would be important to document such details. Corporate governance, being critical in modern organizations, would call for documentation of these policies. Effective information security ensures that a business gains competitive advantage in its operations. References Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J. & Gulick, J. (2008). Information Security. Revision 2. Gaithersburg, USA: National Institute of Standards and Technology, pp. 800 – 864. Pesante, L. (2008). Introduction to Information Security. Carnegie Mellon University. Retrieved From from http://www.us-cert.gov. Read More