Key aspects of information security

Information in electronic form and the means to transmit and process it are now indispensable to educational, financial, business and government istitutions. The power and convenience of information technology is, however, counterbalanced by the increasingly complex legislative framework which governs its use and by the wide range of threats to the security of electronic information.

The reasons for adopting a formal policy on the security of electronic information are twofold:

1. To provide a framework for best operational practice, so that the institution is able to minimise risk and respond effectively to any security incidents which may occur;

2. To ensure that the institution complies with relevant legislation in this area.

Security breaches, often involving prominent commercial organisations, are reported periodically in the press and often generate substantial publicity. Such incidents tend to fuel the popular conception that the major threat to information security comes from hostile attacks perpetrated via the Internet. Although there is some truth in this, the picture which it paints is highly oversimplified. Electronic information is at risk for a whole variety of reasons: natural disasters, failure of man-made equipment and services, and accidental as well as malicious acts by human beings.

Since neither the systems themselves nor those who operate them can ever be totally reliable, what this means in fact is that the institution must be able to react promptly and appropriately to any security incident and restore its information systems to their normal operational state in an acceptable period of time.

In terms of general good practice, institutions must be able to rely on the three key aspects of information security:

  • Availability (knowing that the information can always be accessed)
  • Integrity (knowing that the information is accurate and up-to-date and has not been deliberately or inadvertently modified from a previously approved version)
  • Confidentiality (knowing that sensitive information can be accessed only by those authorised to do so)
  • On the human front, therefore, the policy must define what behaviour is and is not allowed, by whom and in what circumstances. A successful security policy will generate a high degree of consensus amongst all of those involved and should foster a positive attitude towards security in terms of its benefits to the institution and the wider community of which it forms a part.

    A useful concept in this context is that of a balance between privileges and responsibilities: making information and resources more freely available to members of an institution arguably places more onus on those members to behave responsibly. Some evidence is beginning to emerge that users of information systems would be willing to adhere to better security practices if they were more knowledgeable (ie better trained) about what good practice actually involved.

    Overall, the policy must define the role that information security plays in supporting the mission and goals of the institution. Even though much of the work on information security will be devolved to middle managers and technical staff, it is important that senior management should be committed to the importance of information security and should play its full part in winning acceptance for the policy.

    You can find more information on implementing security policies in educational institutions in Developing an Information Security Policy article.

    This blog is run by the authors of FindProtected.
    Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Leave a Reply