An Introduction to Information Security

Information security in ISO/IEC is formally defined as..." the preservation of the confidentiality, integrity, and availability of information; in addition other properties such as authenticity, accountability, non-repudiation, and reliability can also be involved".

The role of information security is to help an organisation understand the value of its information assets, asses the risks to those assets, and develop appropriate policies and procedures designed to effectively exploit and protect those assets.

Significant changes in the past 10-15 years have contributed to the increased importance of information security for organisations of all sizes. Including:

• The rapid development of new open networks, mobile, satellite, and of course the Internet mean that electronic information can be exchanged, transmitted and travel further and faster than ever before.
• New and smaller devices like mobile phones, USB drives, and laptops mean that large amounts of data can exist in many different locations.
• Advances in technology and systems architecture have created new and distributed information systems built to exploit new technology and new networks.

Nearly all organisations now have at least some critical dependency on information systems such as finance, production, sales, order processing and marketing systems - systems without which a business could not function. The value of information in these system also increases when combined with management, executive and knowledge information systems - systems and information that help a company to make decisions and maintain its competitive edge.

Paradoxically, while advances in technology change the way organisations can exchange information and trade, the security of information has actually decreased proportionally. Systems have moved out of easily defended data centres and the mainframe and into complex distributed environments where boundaries and systems are less easy to define and secure.

What's more, many systems were built before this new environment, and were not built with security in mind.

As more 'value' has moved into electronic form, the threats of theft, fraud, malicious software, viruses, Trojans, denial of service etc. have all risen proportionally in the last 10 years. 

Even more worrying is the speed with which threats can propagate in this new interconnected landscape. In 2003 - SQL Slammer virus infect 90% of vulnerable machines in just 10 minutes.

Legal and regulatory requirements have also increased dramatically in the information age. Privacy laws (UK DPA 1998), computer misuse laws (UK 1900 CMA), intellectual property laws, combined with more strenuous industry and corporate governance regulations (Sarbanes Oxley, Basell II, Turnbull) have been introduced and have increased the responsibilities of organisation owners and stakeholders to include compliance with applicable laws and regulations.

In summary what this means is that organisations today must understand the importance of information security and the risks they face. They must receive and understand expert advice, making decisions and exercise judgement all with the aim of establishing a formal information security management system (ISMS)  - a system that will satisfy the following three main requirements:

1. The requirement to adequately protect information assets from the new threats and risks that have emerged as a result of the new and complex interconnected manner in which data is transmitted, stored, exchange and traded.
2. To ensure compliance with relevant local laws and regulations
3. To protect and exploit information assets in the same way that any other asset is exploited - helping an organisation to maintain smooth operations, as well as its competitive edge.