Introduction to Information System Security
Information and information systems need to be controlled. A key aspect of control is that an information system should be secure. This is achieved through security controls. What are these?
What is Information Security?
According to the UK Government, Information security is:
"the practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so" (Source: UK Online for Business)
Information systems need to be secure if they are to be reliable. Since many businesses are critically reliant on their information systems for key business processes (e.g. webs ites, production scheduling, transaction processing), security can be seen to be a very important area for management to get right.
What can go wrong?
Data and information in any information system is at risk from:
|Human error: e.g. entering incorrect transctions; failing to spot and correct errors; processing the wrong information; accidentally deleting data|
|Technical errors: e.g. hardware that fails or software that crashes during transaction processing|
|Accidents and disasters: e.g. floods, fire|
|Fraud - deliberate attempts to corrupt or amend previously legitimate data and information|
|Commercial espionage: e.g. competitors deliberately gaining access to commercially-sensitive data (e.g. customer details; pricing and profit margin data, designs)|
|Malicious damage: where an employee or other person deliberately sets out to destroy or damage data and systems (e.g. hackers, creators of viruses)|
How Can Information Systems be Made More Secure?
There is no such thing as failsafe security for information systems. When designing security controls, a business needs to address the following factors;
|Prevention: What can be done to prevent security accidents, errors and breaches? Physical security controls (see more detailed revision note) are a key part of prevention techniques, as are controls designing to ensure the integrity of data (again - see more detailed revision note)|
|Detection: Spotting when things have gone wrong is crucial; detection needs to be done as soon as possible - particularly if the information is commercially sensitive. Detection controls are often combined with prevention controls (e.g. a log of all attempts to achieve unauthorised access to a network).|
Deterrence: deterrence controls are about discouraging potential security breaches.
|Data recovery - If something goes wrong (e.g. data is corrupted or hardware breaks down) it is important to be able to recover lost data and information.|
Business benefits of good information security
Managing information security is often viewed as a headache by management. It is often perceived as adding costs to a business by focusing on "negatives" - i.e what might go wrong.
However, there are many potential business benefits from getting information system security right: for example:
- If systems are more up-to-date and secure - they are also more likely
to be accurate and efficient
- Security can be used to "differentiate" a business – it helps build confidence with customers and suppliers
- Better information systems can increase the capacity of a business. For example, adding secure
online ordering to a web site can boost sales enabling customers to buy 24 hours a day, 7 days a week
- By managing risk more effectively – a business can cut down on losses and potential legal liabilities
Working with Our Strategic Partners
Boston House | 214 High Street | Boston Spa | West Yorkshire | LS23 6AD | Tel +44 0844 800 0085 | Fax +44 01937 529236
Company Registration Number: 04489574 | VAT Reg No 816865400