1. What is information security?

Information security is about protecting the information assets of your organization from potential loss, damage, destruction or theft. Information assets cover more than you might think and include: G information held or maintained by your organization, G information systems and equipment used to process and store that information, G software applications used to access or manipulate information, G information hardware (such as telephones and computers), G information management (such as the procedures for handling information).

In this section, well look at each of these in turn and suggest some ways of promoting information security.

Easy i Limited

What is information security?

The three main concerns with regard to protecting these assets are: G confidentiality of information, G integrity of information, G availability of information.

Confidentiality
Information security is about ensuring that information is accessible only to those authorized to have it.

Importance of confidentiality
Organizations use and maintain a lot of sensitive information, such as information about: G customers, G staff, G business plans, G financial performance. The consequences can be very serious if this information gets into the wrong hands or is disclosed when it shouldnt be. Keeping such information confidential is vital.

Methods for protecting confidentiality

Organizations use a number of different procedures and controls to maintain confidentiality. Here are some examples:

Locked screensavers - to prevent unauthorized access to confidential computer data. Clear desk policy - so sensitive or confidential material is not left in view on unattended desks. Secure storage facilities - where confidential information can be locked away. A clear confidentiality policy - making confidentiality a contractual requirement for all staff.

Easy i Limited

What is information security?

Integrity
Information security is about safeguarding the accuracy and completeness of information and protecting the systems used to process it.

Why information and systems integrity matters

Organizations hold vast amounts of information and draw on this all the time when making important decisions. If information systems fail or are damaged in any way, the information stored within them may also be damaged. In serious cases, the damage can be irretrievable.

Protecting the integrity of information and information systems to minimize the risk of damage is therefore a high priority for all organizations.

Methods for protecting integrity

Typically, organizations take a number of precautions to protect the integrity of their systems and the information within them. Here are some examples. Backup routines: Making regular backups provides protection against the unexpected destruction of systems or data. Virus checks: Organizations use virus-checking software to track these viruses down and eliminate other harmful software before they do any damage. Installation rules: Strict installation procedures help organizations to control what changes are made to the system and by whom. Business continuity plans (disaster recovery plans): Planning for disaster recovery, so the organization is able to continue operating after a major systems failure or other disaster.

Easy i Limited

What is information security?

Damaged information is obviously unreliable and of limited value when it comes to making decisions for the business or responding to customers needs.

Availability
Information security is about ensuring authorized users have access to information and associated assets when required.

Why information must be available

People use information all the time in their work. They need the information resources of their organization to do their jobs. If access to relevant information and facilities is interrupted, many people are unable to do their jobs properly. In serious cases, such as a major systems failure, the non-availability of information could completely paralyze an organization.

Methods for maximizing availability

Making information available while protecting it from unauthorized eyes is a delicate balancing act. Information security aims to maximize the availability of information and systems to authorized people, while keeping unauthorized people out. Here are some common methods. Security guards: A building with 24-hour security means authorized people have access to work facilities at all hours, while unauthorized people are kept out. Swipe cards: Swipe card or keypad access control only allows those who are authorized to gain entry. However, this is only effective if the card or code is kept out of the hands of unauthorized people. Never reveal your keypad code and keep your access card in your possession at all times. Passwords: Password controls on computer systems help to regulate who can access and manipulate the data held. Classification: Some information is intended to be available to everyone. However, if sensitive information is classified according to its sensitivity, access to it can be restricted to those who should see it.

Easy i Limited

What is information security?

Thats why its so important to maintain and protect the availability of information and other resources.