Information Security has become a challenge in the modern world.Each and every organization is struggling to protect their information assets. There are many standards that help in achieving required security in organizations. ISO 27001, ISO 20000, COBIT, Sarbanes-Oxley Act are some of them. These standards provide a framework where companies could adopt and tailor it according to their needs.
Information Security is all about securing information assets. Information is an important asset that is essential to an organizations business needs. This could be in the form of printed or written paper, electronically stored or transmitted or spoken in conversation. An asset is anything tangible or intangible that has value to an organization and needs to be protected.
Confidentiality (C), Integrity (I) and Availability (A) are the main factors that determine information security. Protecting your assets from disclosure and unauthorized use, is called Confidentiality. Integrity means, ensuring authenticity accuracy, consistency and completeness of critical data. Ensuring assets are accessible and ready for use, is called Availability. Ensuring CIA is, ensuring information security.
Each and every asset has Vulnerabilities and Threats. The possibility of a threat being materialized and ending with a negative outcome is called a Risk. Each Risk needs to be assessed using the Probability and Impact of the threat, so that the Risk could be mitigated. Risk can be avoided, transferred, accepted or reduced according to the measures taken at mitigation. Risk mitigation could be done based on the Risk Assessment and according to the requirement of the organization. Risk Mitigation would bring in controls for the organization, and this would differ according to the company’s need.
Implementing a security management system for an organization is a challenging task. Especially setting people’s mindset is the most important task. This has to be done at all levels. Initially the management commitment needs to be ensured. Required awareness sessions are important to make everyone understand how the management system is going to be.
Last but not the least, the controls which create the process and procedures need to reflect the value addition to the organization, while being easy to follow. Just trying to follow what the processes of another organization will not add any value but increase weight of the processes. Therefore, it’s important to keep in mind that the processes brought in for information security adds value to the organization, while helping the employees to do their work easily and reduce the risks they face.
Have something interesting and IT related to share? email the [email protected]