|
|
|
|
|
Home |
Information security describes all measures taken to prevent unauthorized use of this data. This unauthorized use can include the intentional or unintentional disclosure, alteration, substitution, or destruction of the data.
Information Security includes protecting more than just the systems holding the data. It includes establishing the organization's policies and procedures on IT Systems Security, Internet Security, Access Control, Enterprise Data Security, and much, much more. It aims to safeguard information and information systems from anyone including employees, consultants, suppliers, customers and the well advertised threat of hackers.
Companies revolve around the handling of data in some manner. Personal staff details, client lists, salaries, bank account details, marketing and sales information are commonly stored on file-shares and in databases. This information is critical to running your business as well as developing strategies to protect it.
Effective
Information Security Strategies:
Almost all computing infrastructures are vulnerable to something, and machines on the net are probed continually using freely available software tools.
According to the 2006 CSI/FBI Computer Crime and Security
Survey:
Virus attacks continue
to be the source of the greatest financial losses. Unauthorized access continues
to be the second-greatest source of financial loss. Financial losses related to
laptops (or mobile hardware) and theft of proprietary information (i.e.,
intellectual property) are third and fourth. These four categories account for
more than 74 percent of financial losses.
“The
wonderful thing about the Internet is that you’re connected to everyone else.
The terrible thing about the Internet is that you’re connected to everyone
else.”
Author Unknown
Viruses are often brought inside an organization directly by employees on their laptops, they can be included in e-mails without extensions and no discernable payload data for the firewall to key on that a virus is coming through, they can be embedded in a document, or even encrypted in an e-mail and the packets are sent through the firewall and inside of your network.
Firewalls and virus protection are part of solid security architecture, but they are not the only thing that is needed or required. We are, after all, discussing Information Security which is a holistic view of your organization and its business processes. This means that security is a part of the planning process and not an ‘add-on’ after the fact. It is no longer enough to merely add virus protection into the architecture once an infection has occurred. Instead, policies are written, approved, and implemented, user awareness training occurs, and this is all done before the viruses hit.
Executive and management buy-in is mandatory! Without their support the program will struggle.
The true foundation of any solid Information Security Program is the Risk Assessment. Identify critical assets, people, phones, information, etc and build your Program around protecting them.
Identify and document core
processes including a security
policy.
Determine acceptable levels of risk.
Identify and implement appropriate mitigating controls.
Create and test an incident response plan.
Educate users and conduct awareness training on security and your security program.
Establish meaningful metrics or Information Assurance, as defined by the National Security Agency this is the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Review and assess your program regularly and update as appropriate. This includes audits and vulnerability assessments from outside, unbiased third parties.
For questions, comments or for more information you can contact us any time via email or phone (816-471-3553).