Information Security

In today's business world there is an ever-growing reliance on information technology. Businesses and organizations rely on IT for distributed processing, the automation of tasks and electronic commerce. Processing that would have been done by hand years ago is now done completely on computers. This has evolved so much that many tasks are no longer feasible to conduct by hand. In fact, in some cases it would be impossible. Typical business objects include maximizing profit, having high sustainable growth, and keeping costs low. In information security, we are aiming to preserve the confidentiality, integrity, and availability of information from disclosure, modification, destruction or misuse. Businesses are at risk of loss of income, loss of competitive advantage, or possibly legal penalties if no compliant with regulations.

Why information security? Information is an essential resource for business today. Have the right information at the right time in the hands of the right people is often the difference between profit/loss, and success/failure. We must understand that information is a key business asset and preserving confidentiality, integrity, and availability is crucial to the continued success of the business. Once again, manual processing is no longer a feasible option. In the event of a failure, the employees would loose productivity and it would be very costly to the company. Information security can help protect from confidentiality breaches. In the event of the unauthorised disclosure of schematics, a business could loose millions to a competitor and loss of R&D time and money. Ensuring data integrity is also essential. Information security is also important to detect any violations that may occur, or mitigate any consequential damages that may occur from a breach. Also, information security practice can aid in the planning and facilitate a recovery strategy, ensuring that impact and loss in minimized. In the event of an investigation, having proper information security procedures in place can assist in the process of gather evidence.

If managed properly, information security can be a business enabler. Rather than the 'badge and gun' attitude, information security professionals should approach it from a business perspective. How can information security save the organization money? How can it increase customer loyalty, etc. If information security does not seem to help an organization, and only restrict, it will not be a priority for executive management. Gaining top management support is crucial to creating a security environment.

The recommended approach for information security management includes setting a security policy, conducting a risk analysis, managing those risks, setting appropriate policies and procedures, monitoring, and developing a secure awareness and training program. The traditional information security mechanisms include: access control, encipherment, authentication, policies, procedures, and training.

Information security is important, but why management? As security professionals, we must realize that technology is only part of the solution. Security is mostly a people problem, and people need managing. Policies, procedures, and creating an information security centred culture in an organization can often go much farther than technology alone can provide. Security is only as strong as the weakest link in the system. Often, the weakest link is management. Information security management provides managers with the appropriate information to make decisions based on knowledge and facts, rather than feelings. Managers no longer should make decisions based on fear, uncertainty, and doubt, but make decisions which apply appropriate controls for the information at risk. Appropriate means a balance between controls/convenience, and costs of control/potential loss. Information security should not be only a set of restrictive controls, it should be a business enabler.

Management activities such as risk analysis, ownership, policy creation/enforcement, procedures, should all be part of an overall information security program. Often, the best way to approach management is using well thought-out standards and methodologies such as ISO17799 and the ISF Standards. Information security exists in business, only to support business. We should realize that.

Written by:
Benjamin D. Thomas

LinuxSecurity.com Feature Extras:

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!