Information Security Management
May 8th, 2012 | By Merrick Peiris | Category: ManagementMany organizations do not realize the real value of its information assets till it faces an information security disaster. Information assets stored in paper form, computer or as employee knowledge and expertise will face various threats due to the degrees of vulnerability. Damage through fire, loss, theft or acquisition by competitors can threaten the very survival of an organization.
Hospitals keep personal health records and information about patients. Insurance companies hold personal and financial information on customers. Security and legal organizations hold sensitive security related information of citizens. Multinational corporations rely on trade secrets and other trade sensitive information for competitive advantage. Subcontractors keep product design information of service providers and design houses. Banks and other financial institutions keep high value asset information on its customers.
In addition to loss of information value, banking institutions are most vulnerable to fraud, theft, misappropriation as well as attacks from virus and hacking. In such institutions, information becomes the most valuable asset needing protection and management.
In a number of organizations, employees’ knowledge represents a significant proportion of the corporate information base. These could be in terms of operational procedures, customer relations, corporate skills and trade secrets. There are many legal and social implications relating to the value and ownership of such information.
What would be the consequences of an information disaster such as losing the main server information due to a virus or hacking, or loss of records due to fire or loss of key personnel? What would be the consequence in terms of reputation if information about a high value customer gets into the wrong hands by mistake or through fraud?
Information security as a concern should not be limited to IT related companies alone. As more and more information is stored in “soft media” and access from outside becomes easier, the vulnerability has also increased by many folds. However, since the cost of trying to eliminate risk, organizations will have to manage risk based on the value and vulnerability of each and every identified information resource.
Internationally recognized ISMS 27000 standards focuses on an organization’s ability to analyze and assess information value, its vulnerability, threats and risks in order to plan for emergencies and for mitigating its effects on the business recovery and operational continuity following an event resulting in loss. It also offers organizations a systematic methodology for assessing the value, the threats and vulnerability to plan effectively and to take appropriate proactive action.
Conformance to ISMS standards also give customers and business clients of an organization confidence that information provided to it or held by the client organizations is kept with a high integrity value.
A strategic plan incorporating an ISMS would mitigate the business consequence from a possible disaster such as the threat of customer information getting into criminal hands, trade secrets getting to competitor hands or a loss of operational information due to an accidental or natural disaster. The financial consequences resulting from loss of credibility, customer confidence or direct financial loss could be catastrophic to any business organization.
Therefore, protecting such information and contingency planning becomes part of the organization’s management responsibilities. Gaining of an internationally recognized certification of compliance should be seen as an added advantage that gives customer confidence. The prime consideration in gaining an information Security management certification should be the competitive advantage gained through customer confidence while protecting a valuable business asset.
Areas in Information security that ISMS27000 consider include perimeter security, offsite information access, information integrity, network security, business continuity planning and disaster recovery among others. Such standards adopts a process approach that forms part of the overall business process where the inputs with adequate and necessary controls go through a business process to form the desired output.
In today’s global economy where banks and other financial institutions rely heavily on telecommunication for global transactions, transmitting information worth billions of dollars, a loss of key equipment or a few minutes of network down time can result in heavy financial losses. Network security, redundancy and contingency planning are no longer “nice to have” features, but survival necessities.
Business continuity planning strategies vary widely between organization-to-organization and application-to-application. For example, it could be the provision of a total parallel redundancy system of the whole operation to transfer of resources or operations from one location to another through network management.
As one considers that human life cannot be measured in terms of monetary value, information concerning the safety of life should also be protected accordingly. For example, a simple mix-up between patient records could literally mean the difference between life and death. Therefore as Hospitals, medical laboratories, pharmaceutical companies handle more and more records and transfer information, the risk of disaster also increases accordingly. A simple mistake, even by a minor employee could result in disastrous consequences, both the life as well as the business operation.
Imagine an accidental fire in your home and you having to run out to save your lives, with the chance of grabbing just one item of irreplaceable value, on your way out. What would that item be? Then should you not ensure that such an item is easily accessible, yet being secure against theft?
In the question of a fire in your home, one would first think of certificates, but certificates are generally recorded. Some would think of money and jewelry, but these too are replaceable. But what about your family photograph album, a set of stored information with irreplaceable sentimental and historic value?
ISMS or Information Security Management System is a management system just like a Quality Management System (QMS) or an Environmental Management System (EMS) designed to protect assets of an organization to the level of required security through the management of set procedures, controls and practices. Therefore, it can be part of an integrated strategy combining Quality management systems and environmental management systems. Therefore conformance to an Internationally recognized Information Security Management System such as ISMS 27000 should be of paramount importance for every organization where information forms part of the tangible and intangible assets.