What is information security?

23/10/2008 – 6:10 am by Lance Michalson

The term “information security” is not capable of does one single definition, but is rather an umbrella concept that encompasses a number of meanings. For many, “information security” is the protection of information and information systems by providing critical security goals, features or capabilities. “Confidentiality”, “integrity” and “availability” are the three cornerstone goals that every information security programme attempts to achieve (see SANS 17799).

In its broadest sense, the term refers to the protection of an organisation’s intangible “information assets” from a wide range of threats. (Information is an asset which, like other important business assets, has value and needs to be suitably protected.) These “assets” include not only the information itself, but also the underlying computer hardware, software, networks and other infrastructure that supports information systems.

The term also refers to a risk-based process that includes the identification of possible threats to information assets, determining whether those assets are vulnerable to the identified threats and implementing appropriate and cost effective safeguards needed to address those threats. Determining the threats to information assets and the degree of vulnerability, involves the process of risk analysis.

For some, this extends to the taking of reasonable steps to ensure the information security risks are spread to the organisations IT service provider and customers. Here organisations should have enforceable back-to-back agreements in place with their customers so they can pass some of the liability to their customers to the extent permitted by law. Clearly if they pass too much of the risk onto customers it may not be palatable from a marketing point of view and customers may in fact stop using the product.

If an organisation outsources some of its security or IT functionality, it needs to have unambiguous contracts in place with its service provider/s which outline what is required from them and the security issues that fall squarely in their area of responsibility. This is because organisations need to be able to take immediate recourse against the service provider if a breach occurs as a consequence of the service provider not maintaining the service it was contracted to do.

Accordingly, there are both risk allocation and contractual issues that organisations need to be aware of, but it is ultimately the process that management follows that will determine the most effective tool in minimising information security risk.

Michalsons Attorneys