by The Open University
Available in 39 free installments
Owner:
This unit introduces you to information security and its management.
A succinct definition of information security might run as follows:
Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.
But why is it important to secure information? And how should its security be managed? To start thinking about these questions, consider the following statements about information:
In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control.
(Nigel Turnbull, 2003, p. xi)
Competitive advantage … is dependent on superior access to information.
(Robert M Grant, 2000, p. 186)
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders.
(Ronald Reagan, 1989)
It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage. And in the not-for-profit sector, with increased public awareness of identity theft and the power of information, it is also, as Turnbull claims, the area of an organisation's operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organisation.
If information were easy to value and protect, however, you would be able to buy off-the-shelf information security management solutions. There are three characteristics of information security that make this impossible.
The collection of influences to which each organisation is exposed varies with the organisation: the information technology that it uses, its personnel, the area in which it does business, its physical location ? all these have an effect on information security.
Information security affects every structural and behavioural aspect of an organisation: a gap in a security fence can permit information to be stolen; a virally infected computer connected to an organisation's network can destroy information; a cup of coffee spilt on a computer keyboard can prevent access to information.
Each individual that interacts with an organisation in any way ? from the potential customer browsing the website, to the managing director; from the malicious hacker, to the information security manager ? will make his or her own positive or negative contribution to the information security of the organisation.
Thus information security and its management need to be examined within an organisational context. To this end, a major aim of this unit is to give you the opportunity to:
investigate your organisation and determine the precise mix of information security issues that affect it;
explain the links between areas of an organisation and navigate your organisation's information security web;
identify the security contributions of each individual, and so suggest strategies to make the sum of the positive contributions greater than the sum of the negative ones.
Before you can investigate information security and its management within your organisation, we need to introduce you in more detail to the complexities of the topic. This is the purpose of this unit. Section 2 discusses the meaning of the terms information, information security and information security management. Section 3 looks at information security and its imperatives and incentives. Section 4 discusses information assets. Section 5 examines the planning of an information security management system. Section 6 addresses how risks to information security can be assessed and how information assets can be identified. Section 7 describes how a system for information security management can be implemented and continually improved.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
