Vioptim - SaaS Security Specialists

Security of Information

Assessing business risk is the key task in designing an Information Security Management System. This can only take place with the full cooperation of business managers and directors. Securing corporate information has extraordinary implications across the entire organisation. It is very easy to think that a firewall, some good anti-virus software and password controlled access to IT systems is all that is required. It's a good start but there is a great deal more to deal with once you get into the detail.

If you consider that information security is about the confidentiality, the integrity and the availability of your data and applications, then this is a good place to start in thinking the process through. Each of these areas requires careful consideration before any decisions or policies can be created or managed.

The key area to look at is Business Risk. Before any decisions can be made about security products, security policy, password policies and the like, your business needs to understand what constitutes a risk. Analyse the risk in terms of its impact on the business, the likely cost of an incident and what the cost to mitigate the risk is.

Confidentiality

This is what most people think of when they talk about information security, which is one of the reasons that we prefer to turn these words around and talk about the security of information.

Different organisations have a different attitude to confidentiality. Some organisations are very open about what they do and how they do it, but they still have to respect the laws of the land and there is going to be information that must be kept confidential. Employee records would be an obvious example.

The public sector has a broad range of confidentiality levels from top secret all the way through to allowing open access. Rules have to be set and applied throughout the organisation to ensure that the correct level of access is maintained and that will include physical access as well as user access through the computer.

Integrity

Ensuring that a backup of any computer is up-to-date and accurately reflecting the state of play is vital. If a system fails in the middle of a database transaction, what is the state of that particular activity? If a disgruntled employee changes one or more records in the accounts system, what impact might that have on the business?

If you can't trust the information in your database then it becomes a liability not an asset. Maintaining integrity is a major goal of securing your information and one that must not be overlooked in its importance.

Deciding who has accessed what, when and why are some of the questions that need systems support to answer. Security Log Management is a key application area that we will be seeing a good deal more of in the future.

Availability

So you've ensured that your data can be relied upon and that it's not getting into unauthorised hands, but what if you can't access it? What if you can access it but the access is so slow that it becomes unusable?

Closely linked with our network management view, it's another key area that needs constant monitoring. Different organisations are going to see different critical areas. Hospitals need to have access to patient records and X-rays as they fly around the network. Investment companies need to have up-to-the-minute information on markets and prices. Energy operators need access to their control systems to monitor and maintain safe and economic working systems.

Right down to poor performing wide area networks, denial of service attacks and any number of other potential problems, availability of systems, data and applications is a top priority and major potential business risk.

Click the icon to download the Security of Information whitepaper