Institute for Advanced Professional Studies

Information Security Overview


Information has been valuable since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, information security has become correspondingly important. In the past, most corporate assets were "hard" or physical, such as factories, buildings, land and raw materials. Today far more assets are computer-stored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information -- the data IS the business.

Information Security is a Process:

Information Security is very simply the process of protecting information availability, data integrity, and privacy.

No collection of products or technologies alone can solve every information security problem faced by an organization. Effective information security requires the successful integration of:

  • security products such as firewalls, intrusion detection systems, and vulnerability scanners
  • technologies such as authentication and encryption
  • security policies and procedures

Security Policies and Procedures:

An information system security policy is a well-defined and documented set of guidelines that describes how an organization manages and protects its information assets, and how it makes future decisions about its information system security infrastructure.

Security procedures document precisely how to accomplish a specific task. For example, a policy may specify that virus checking software is updated on a daily basis, and a procedure will state exactly how this is to be done -- a list of steps.

Security is Everyone's Responsibility:

Although some individuals may have "Security" in their title or may deal directly with security on a daily basis, security is everyone's responsibility. As the old saying goes, a chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised. Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall, misconfigured for only a few minutes, allowed a hacker to gain entrance with disastrous results.

Security is an issue during an application's entire lifecycle. Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the information security issues and techniques that are germane to their work. For example:

  • programmers must understand how to avoid race conditions and how to implement proper input filtering
  • system architects must understand concepts such as defense in depth and security through obscurity shortcomings.

Computer user awareness is critical, as hackers often directly target them. Users should be familiar with security policies and should know where the most recent copies can be obtained. Users must know what is expected and required of them. Typically this information should be imparted to users initially as part of the new hire process and refreshed as needed.

Information Protection Involves a Tradeoff between Security and Usability:

There is no such thing as a totally secure system -- except perhaps one that is entirely unusable by anyone!

Corporate information security's goal is to provide an appropriate level of protection, based on the value of an organization's information and its business needs. The more secure a system is, the more inconvenience legitimate users experience in accessing it.

© Copyright 2003-2015 Institute for Advanced Professional Studies (IAPS)