Information Security

by Andy Taylor

An overview of information security

The basics of information security are little more than common sense. If an organisation has been operating successfully for a while, the chances are that much of what they are doing is in accordance with best practice. It is not difficult to see what problems there might be, so if you hold personal information about staff you probably take proper care of it. It is unlikely you will need to be reminded that there is legislation covering such information – the UK’s Data Protection Act or its equivalent in other countries. Indeed, there is now a raft of legislation covering information and its proper care and maintenance. Nevertheless, much of what the legislation says is little more than good practice.

The process for managing information and its security is essentially cyclic in nature, as shown in the diagram below.

There are six main steps in the cycle, which is a continuous process. It is not enough to do it once and assume that will be adequate. So, very briefly, the steps are:

  1. Identify the information assets held by the organisation
  2. Determine the vulnerabilities, threats and hence risks to those information assets
  3. Calculate the business impact, both to financial and to less tangible assets, such as reputation, of those risks occurring
  4. Consider the possible options for the treatment of those risks
  5. Implement the best possible options for the treatment of those risks
  6. Monitor the information assets, risks, impacts and treatments and refresh/review as necessary.

To understand the process a little more, the next sections will take a look at each of these steps in rather more detail.