What is information security and why is it important?

In the days when most business information was paper-based, it was generally sufficient to keep confidential information in a locked filing cabinet, employ trustworthy staff and use security personnel to monitor your premises at night and weekends.

In today’s digital world it is easy to fall into the trap of thinking that a similar approach is still good enough. But the media’s almost-daily reports of IT-related security breaches show us that it is not.

The growth in digital devices and technology (such as smart phones, tablets and the cloud) has brought major advances to how we do business. Each, however, has added potential risks to the security of the information which it stores and communicates.

Information security is concerned with:

  • confidentiality: making sure that information is available only to those who have a legitimate need or right to access it
  • integrity: safeguarding the accuracy and completeness of information, so that a recipient can be sure that information received has not been altered during transmission
  • availability: ensuring that legitimate users of information have access to it when required

The solution

There is no shortage of technology designed to protect electronic information (virus checkers, encryption, firewalls, data back-up tools, password protection etc).

But how do you know whether it is being applied correctly and works effectively? This is a management rather than a technical issue. For example, access to an organisation’s computer systems is normally controlled by username and password. However this precaution is pointless if a staff member chooses a password which is easily guessed or keeps a note of it on a pad next to the PC.

Security needs to be part of everyone’s everyday thinking, just like quality. The way to achieve this is to include information security within the scope of the organisation’s overall management system, as described on the Pondergrove main site.

The approach

An information security management system should be developed using a risk-based approach. ISO 27002, ‘Code of Practice for Information Security Management’, provides comprehensive coverage of the security controls required today. Identifying the threats to the organisation’s information assets and the associated risks enables the organisation to select which controls are applicable and how they need to be applied.

This process of Risk Assessment is a key component of an information security management system.