This Chapter deals with the Information Security issues relating to the purchase, use or maintenance of equipment through which information is processed and stored. Basic computer security policies.
Access Control is fundamental to Information Security as its function is to determine which persons or systems, are entitled to access the information concerned. Access control refers to the controls placed upon both physical access e.g. the keys to a room or building and also refers to the software controls used to restrict access to computer systems and data.
This chapter deals with Information and Document Handling. It covers a broad range of data and information handling issues, all of which are critical to the Information Security process. It also covers e-mail and access to the Internet, extranets and intranets.
Application system software involves the purchase or licence of software systems which usually purport to be both proven and inherently secure. This is often not the case and there are many Information Security risks involved in the purchase, installation, use and maintenance of application software.
Software development and maintenance can range from minor amendments to databases or output formats to complex and substantial projects for major systems development. The process of software development and maintenance should follow pre-defined procedures which take fully into account the myriad of Information Security issues involved in such activities.
Cyber Crime is defined as any criminal activity which uses network access to commit a criminal act. With the exponential growth of Internet connections, the opportunities to exploit weaknesses in Information Security are multiplying. Attacks may be internal or external, with the former being easier to perpetrate.
The frequency of headline news relating to employers' and employees' misuse and abuse of IT systems, should leave little doubt in one's mind, that compliance with an increasing amount of legislation, is no longer a passive activity.
Further, recent legislation passed in the UK potentially challenges fundamental 'rights' passed by the European Commission thus presenting a complex web of potential pit falls to both employers and employees alike.
The conclusion is that ignorance of the law will not suffice - especially in an environment where Cyber Crime is growing and any legal response to such threats must be based upon a solid foundation, not only of the legislation, but of the current state of the jurisdiction to prosecute such actions.
A seriously disruptive event can affect any businesses at any time. Whether this is the result of a fire or a flood, or even the result of extreme terrorist activity, it is vital that your organisation or business is able to continue to function. To function in these extreme circumstances requires careful planning and preparation. It has become extremely popular in recent years to prepare Business Continuity Plans to ensure survival following major catastrophes.
To discover more about Business Continuity Planning, and to download the "Business Continuity Plan Generator", visit Business Continuity World
The most important aspect of any successful Information Security process is the involvement of all of the people working for or with the organisation. These persons represent the most effective means of overcoming these Information Security threats. Information Security breaches could be accidental or possibly deliberate. Either way, the impact on the organisation could be significant. This section deals with the Personnel Management and employment issues concerning Information Security.
As business models move towards an online 'e-conomy', it is important to consider security issues before, during and after opening up your organisation's electronic 'doors'. Even for a simple Web presence, strong security is required to safeguard against unauthorised intrusion. e-Commerce faces many more threats. These fall into two main areas: threats related to the site's software components and those arising from a lack of knowledge of international legal and commercial internet trading regulations.
Information Security Awareness and Training are vital components in the battle against malicious attacks and serious accidents. RUSecure™ is designed to aid this process and is an ideal tool to develop a high level of awareness for all information users. Additional and supplementary training should also be considered as appropriate to cover highly specialised system or business areas.
Dealing with Premises Rlated Considerations
Premises which house highly sensitive information or systems require special consideration. The physical security of these premises forms a vital link in the overall security of information. This section deals with premises issues concerning Information Security.
Information Security incidents must be properly recorded, reported and investigated. This means that formal procedures need to be in place for all stages of the process.
All Information and data within your organisation should be classified to reflect its level of confidentiality or importance to the organisation or its customers. This chapter outlines the key issues concerning the classification of information.
