Information Securityby Andy Taylor
What is information security?
The answer may at first seem obvious, but once we look closer at each word, but it’s not as simple as it looks.
What is information?
A distinction is often drawn between information and data. Usually the distinction is that data is unprocessed – the raw facts and figures gathered for some reason – whereas information is processed in some way. Perhaps, for example, information is composed of different data records (such as age, address, marital status and bank account details) relating to a particular person. For the purposes of this topic, however, no such distinction will be drawn and information will be used throughout to mean both information and data.
Arguably, the only important definition of information or data is that if either is considered valuable to the organisation in some way – for example, it is expensive to obtain or replace, you are legally required to look after it, its loss would cause serious problems or embarrassment, or it gives access to other more valuable assets, such as stock – then it is worth considering how well you protect it.
Not all information needs to be looked after as if it were the Crown Jewels. Clearly it depends very much on what it is, how it is used, where it is stored or processed and, most importantly, the risks of losing it. That valuation is very much part of the whole security question and we will address how we can determine the information’s importance later, when we consider risk and business impact assessments.
What is security?
So, if we have decided we have some information that is important and valuable, why do we need to worry about looking after it? There is a hidden question here. Clearly we are going to look after information that we feel is important to us personally or to the business on which we depend.
What we are sometimes less clear about, though, is the effect of our carelessness on other people. When, in the UK, Her Majesty’s Revenue and Customs (HMRC) apparently ‘lost’ 25 million records of British tax payers, it was not so much the damage to the HMRC’s operation (where in fact there was almost no impact at all) that hit the headlines, but more about the potential damage to the individuals listed.
This ‘third party’ effect is particularly important in Government bodies, but can have a major impact even in the private sector. Organisational reputation has grown as a critical factor of a successful business and if a commercial organisation loses its reputation (for any reason) the consequences could be disastrous. The internet and other methods of passing information rapidly around the world mean that any incident involving an established company will be heard about elsewhere very quickly. Thus, the incident gains a momentum of its own which can be devastating.
The basic principle here is that you share information as and when appropriate and not when it isn’t. ‘Need to know’ offers a quick and easy way of deciding the extent of information sharing: if you have a ‘need to know’, then you will be told – if not then you won’t.
The final judgement, though, in everything we do in connection with security, has to be the extent of our trust. Trust in individuals or groups of individuals (for example, staff) is the bottom line. The extent of our trust will dictate the degree to which we have to protect information with technological, procedural or physical security measures. If we trust our colleagues implicitly and they have similar values to our own, then we could consider not protecting information any further.
Reality suggests, though, that trust can be an ill-founded, leading to disastrous consequences. Examples of business partners walking away to make their fortune with the good idea dreamed up in the office are not infrequent, nor are they the only examples of trust being misplaced and causing problems. For example, a trusted employee chooses to leave the company and takes with them a copy of the customer contact list, after which they set about encouraging customers to move to their new company. How often is this cited as the last straw that caused a company to think again about the level of trust placed in its employees?
It is therefore essential that the correct level of trust is employed, but the problem is often how to determine that right level. Over-protecting information can be expensive and sometimes causes even more problems than not protecting it at all.
The balance between risk, cost and security must be struck, sometimes for individual records rather than across the whole organisation. It is also vital to ensure that, if we get the level of protection wrong, the consequences are manageable and managed.
Isn’t this just about computer security?
Computers are, of course, one of the main areas requiring consideration from a security point of view. They also present additional problems, such as viruses, that are not found in other forms of information storage.
But computers are not the only source of problems. The physical security of a site, for example, is also part of the information security landscape when it is considered as layered security. If large well-protected fences are placed around a factory or office block, the levels of security inside could be reduced. If, on the other hand, the physical security of a building is little more than an unmanned reception desk with an ever-open front door welcoming in potential clients and adversaries alike, then the measures taken inside must be commensurately higher.
Naturally, it would be very foolish to ignore computer security. Computers store, process, input and output vast quantities of information every day in every situation. It is this capacity to transfer information very easily that is one of the most important computer security issues. The time taken to transcribe 25 million personal records by hand makes the risk of it happening minute. In contrast, the fact that a UK government department was able to contemplate simply copying that quantity of information onto CDs with so much ease, before then losing the discs, highlights the very real issues concerning computers and their security.
Do I need a specialist?
There will, of course, be professionals who will assure you that only with their help and advice will you be able to do the job properly. That may well be the case in some circumstances, but probably only where there are serious or difficult technical problems to address. It may be the complexity or quantity of the information or its processing or storage that causes problems, or maybe there are issues around the manner in which the information is accessed. In such cases, it may well make sense to get the professional view, but in general the starting point will be with managers looking at their own organisation.
The whole information security issue is a business issue, first and foremost. The technical side of security is very much the supporting side, to be used as and when necessary. It is very important, therefore, that the initial stages of assessing the critical information, and the risks to it, are undertaken by people within the business who have a full awareness of how the organisation operates, what is critical to it and the consequent impacts of information loss or corruption.
You may need some technical help as to the best way of achieving the required degree of security, but it is far better to discuss such matters with a clear idea of your requirements. This helps to reduce the chance of being sold the highest level or complexity of technical security device when a simple lock might do.