Importance of Information Security
In the era of the Internet and with the advent of the proliferation of information in all aspect of daily life, the concern for information security becomes an ever dominating topic on everyone’s mind. The Risk and Advisory Services division of Ernst and Young states: “the information security agenda for executives continues to evolve. Long gone are the days where a firewall and an intrusion detection system can constitute the arsenal of information security defense. The complexities of what to protect and when, overlaid with requirements of regulation and compliance, create the need for a new type of information security executive—one with business savvy, sound risk fundamentals and holistic technical understanding. These skills, coupled with a strong strategy, will be necessary for organizations to achieve their 2008 information security goals” (Richards, 2008). From this and many similar types of statements made by the experts in the field and many other think tank agencies in charge of assessing the importance of Information Security we can understand a very serious and important aspect of having an information division that requires swift policies in place to mitigate the risks.
One of the most important aspects of information security involves protecting the source of information: the data center. In order to completely and adequately secure a data center, both the systems housing the information as well as delivery mechanisms that transfer information in and out of it need to be secured. Data protection schemes and mechanisms need to be at the forefront of any security effort in order to manage and mitigate the risks associated with information loss, theft, or leak. Policies and standards need to be in place to give proper credentials to appropriate staff in order to assign responsibility and establish proper mechanism of control. According to some estimates, the most valuable information that attackers seek to obtain is data representing Intellectual Property and Insider Information that gets passed around a given Governmental organization every day. Therefore, it is of utmost importance that access to this privileged information be as exclusive and guarded as possible in order to make security efforts successful in the long run.
After the initial establishment of security procedures policies and steps needs to be taken to protect the identity of the people associated with the organization as this becomes valuable as well to a given attacker and may be used by them in a variety of ways that could potentially lead to a breach in the main security of the data center. Therefore, this secondary but equally important concern needs to also be addressed. Another fact that makes matters worse is in the way companies and organizations choose to do business these days: Outsourcing and offshoring seem innocent at first but present unique challenges for data and information security that cannot be simply denied and pushed aside because they inevitably increase the risk of information integrity and security.
Overall the challenge remains in assessing risks and identifying what constitutes privileged information to be secured and protected and how to go about protecting such data and these concerns and risks is only going to get bigger over time. The future is now and the risk associated with information theft or breach cannot be underestimated or denied. While this assessment may be deemed overly cautious there are ways to go about this to make things easier on an organization: “According to the 10th Annual Ernst & Young Global Information Security Survey, 60 percent of respondents cited their compliance efforts as the most important activities to their organization, with over half stating that a majority of their team's time is being spent on compliance activities. Roughly 80 percent of respondents noted that tying compliance goals to their information security initiatives helped them justify and obtain resources and budgets for those initiatives. They also said that by having to address regulatory and compliance requirements, they've improved their organization's information security posture.”
Tools and Technologies
There are many tools and technologies at the disposal of agencies and organizations to be able to protect their intellectual property and information from falling into the wrong hands. These tools and technologies fall into 2 main categories: security and protection of systems that house the information and the systems and devices in charge of the delivery of information across a given organization or across the internet.
From among the tools for the data centers one could cite access privileges and security policies in place to be able to authenticate and validate a given user and their credentials. This would ensure the confidentiality as well as the integrity and availability of the information is intact. For the delivery mechanisms such as for the network infrastructure there exists various encryption mechanisms and authentication schemes to be able to establish a secure remote connection and send information securely. Organizations can use a variety of cryptographic methods to secure information through for example the use of 3DES that has become a standard for encoding messages.
Other authentication and verification methods also exist that further strengthens a given network for a more secure operation but overall the security mechanism must be deployed at multiple levels to be successful and effective. Steps must be taken to ensure Confidentiality, Availability of information, and Integrity to be kept intact at all times as much as possible.
Legal and Ethical Concerns
The balance between accomplishing a legal requirement and satisfying an ethical concern are not often mutually exclusive. It could be the case that a legal requirement in a given set of circumstances might be right or ethical. Vice versa, it could be the case that a decision is made to do certain things that while may be legal may not be right or fair to do. For example, invading an employee’s privacy in order to gain a new level of surveillance and monitoring may not be an effective security measure because it might lead to an increasingly hostile working condition which could further promote employee dissatisfaction and ultimate breach of security and confidentiality as a result.
This and many other cases of the overlapping concerns have promoted many security professional and decision makers to find best practices and proven methods of ensuring security rather than resorting to practices that promotes a sense of distrust in a given organization. People need to work together to ensure security needs and requirements are met and it should be considered a team effort rather than a matter of certain isolated measures designed to mitigate a narrow objective.
In the end all the best security in the world cannot be effective when an administrator and a trusted individual decides to misuse or abuse this trust and there should be safeguards to ensure this risk is mitigated and accounted for because as Mr. Bishop states: “Security is not an add-on or merely an operational concept, it is a property that must be designed and built into every system.”
What To Do
In order to ensure a given organization’s security, security in three aspects needs to be considered, evaluated, and implemented. In order to secure information, one needs to look into the software environment, the hardware infrastructure and communication mechanisms in place, and the people who have access to such information. Any given threat to security could be in the form of software such as Viruses, Trojans, Spyware and similar programs, or it could come in the form of eavesdropping on a network communication line, or it could even be coming from people and entities posing as administrators and users with proper credentials.
In order for any organization to safeguard information against such attacks it needs to have control over each aspect of security with tools ranging from configuration and monitoring tools, access rights and policies on the computers and the network infrastructure, and must have proper security settings placed in the operating system software that runs on any given device that needs to be secured. To successfully implement a strong security policy every area information travels to and from needs to be secured. For example, in order to protect the network infrastructure from attacks, firewalls and network blocking and monitoring systems must be in place to safeguard a system from falling prey to a denial of service attack or a information theft due to breach of networked defenses.
Critical data must be kept out of reach of most of the company’s employees as much as possible and must remain local rather than being accessible online for executives to access from home. For other less critical information authentication and verification procedures must be in place to safeguard the information from unauthorized use. A security professional would be able to discern which type of information falls into the proper category of protection. Usually a combination of access control and monitoring mechanism protocol would be employed to safeguard information for safekeeping and proper handling.
A Meaningful Estimate
As you can see, this procedure of arriving at the estimated cost is a complex and time consuming affair and one that draws upon years of experience and expertise in the field and demands the most attention as it will make or break the project in the end if it’s not done correctly and reasonably accurately.
Now that you know why estimating costs are difficult, let us get to how much should you expect to spend on a professionally managed security implementation which includes:
- Analysis of your requirements
- Professionally created plans and procedures
- Structuring and design
- Exchange of data, if applicable
- Training on how to manage and maintain the plan
Want an Estimate? click on each section to see standard pricing and more information:
|
