Ways to Implement Information Security in an Organization

By CIOReview | Tuesday, September 13, 2016
544
882
185

Information is a vital asset and is the backbone of every organization. The value of information is interpreted and applied to create products and provide robust services. It is essential for organizations to have stringent information security to defend data or information systems against unauthorized or unintended access, destruction, disruption, and tampering.

Need for Information Security Policies and Guidelines

Information security policy delivers information management by providing the guiding principles and responsibilities necessary to safeguard the information.

Structured, well-defined and documented security policies, standards and guidelines lay the foundation for robust information systems security. Security policies are the key to securing infrastructure; it serves as a guideline and a reference point to numerous security tasks ranging from securing applications, configuring user access controls, defining management duties, and responsibilities to assuring standardization and consistency, and retaining confidential and proprietary information.

Models in Information Security

The three main models in information security include:

Confidentiality:

The assurance that information is not disclosed to individuals or systems that are not authorized to receive it. The essential component of privacy refers to the ability to protect data. For example: withdrawing money from the ATM involves maintaining confidentiality of the Personal Identification Number (PIN).

Integrity:

Refers to the ability to prevent data from being altered in an unauthorized or undesirable manner. Integrity also provides the assurance that information can’t be modified by those who are not allowed to modify it and any such modifications will not pass undetected. Maintaining integrity requires the ability to forbid undesirable changes.

Windows and Linux are good examples of modern operating systems that help in controlling integrity. These systems implement permissions that restrict the action that an unauthorized user can perform on a given file.

Availability:

It is the readiness to access the data when required. Loss of availability affects the handiness of the system to provide information when requested. In addition, the issue results in power loss, operation system or application problem, and also increases the chances of Denial of Service (DoS) attacks.

Information Security Threats:

1. Cybercrime

The Internet is a hunting ground for criminals and terrorists to make money, and it even bears the potential possibility to bring down an entire corporation or government through cyberattacks. Hackers are using stealthy and advanced techniques that disguise known malware against detections. The endpoint is the most lucrative and vulnerable target for attackers and it requires robust protection. In addition, it is now estimated that around 70 percent of all the data breaches involve malicious attacks on endpoints.

2. Privacy and Regulation

Information security and privacy regulations need to measure how organizations manage and conduct its due diligence, the safeguards in place and the way it is realized in the workflow process. Many organizations are in the process of creating regulations to safeguard and further use Personally Identifiable Information (PII) to identify, contact and locate individuals. In order to reduce regulatory sanctions and business costs, it is essential for organizations to treat privacy as both a compliance and business risk issue.

3. Threats from Third-Party Providers

Supply chain plays a vital role in an organization’s global business operations and is considered to be the backbone of today’s global economy. Sharing valuable and sensitive information with suppliers or third party providers reduces direct control over the information. In addition, sharing information also compromises confidentiality, integrity, and availability. Even seemingly innocuous connections turn out to be vectors for attack.

4. BYOxTrends in the Workspace

Bring-Your-Own-Everything (BYOx) is an emerging trend in organizations that allow employees to bring their own devices to work. It delivers complete workplace access to employees, while increasing information security risks. However, the risks include both internal and external threats such as mismanagement of the device, external manipulation of software vulnerabilities, and deployment of poorly tested, unreliable business applications.

5. Engaging with People

Some organizations consider people as their biggest threat and have made huge investments toward information security awareness activities. People should be educated about their responsibilities and cultivate security awareness.

After all, information security must be implemented in organizations to integrate threat data from various security and network products. It should also identify key events to reduce unmanaged risks and improved operational security efficiency. At all times, organizations should ensure that an information security management system is user-friendly in order to maintain a holistic approach.