UNIT 1 Introduction The purpose of information security is to protect an organization’s valuable resources, such as information, computer hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. To many, security is sometimes viewed as thwarting the business objectives of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. Well-chosen security rules and procedures do not exist for their own sake — they are put in place to protect important assets and thereby support the overall business objectives. Developing an information security program that adheres to the principle of security as a business enabler is the first step in an enterprise’s effort to build an effective security program. Organizations must continually: (1) explore and assess information security risks to business operations;
(2) determine what policies, standards, and controls are worth implementing to reduce these risks;
(3) promote awareness and understanding among the staff; and
(4) assess compliance and control effectiveness.
As with other types of internal controls, this is a cycle of activity, not an exercise with a defined beginning and end. Information security professional should have a solid understanding of the fundamentals of security and the entire range of issues the practitioner must address. We hope you will be able to take the key elements that comprise a successful information security program and implement the concepts into your own successful program.
Information Security Essentials for IT Managers:
Protecting Mission-Critical Systems Information security involves the protection of organizational assets from the disruption of business operations, modification of sensitive data, or disclosure of proprietary information. The protection of this data is usually described as maintaining the confidentiality, integrity, and availability (CIA) of the organization’s assets, operations, and information. 1. Information Security Essentials for IT Managers, Overview Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing [1]. For information security managers, it is crucial to maintain a clear perspective of all the areas of business that require protection. Through collaboration with all business units, security managers must work security into the processes of all aspects of the organization, from employee training to research and development. Security is not an IT problem; it is a business problem. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
Scope of Information Security Management Information security is a business problem in the sense that the entire organization must frame and solve security problems based on its own strategic drivers, not solely on technical controls aimed to mitigate one type of attack. As identified throughout this chapter, security
1.1 Define Information Security
1.2 Define Security as a Process, Not Point Products
Information security does not guarantee the safety of your organization, your information, or your computer systems. Information security cannot, in and of itself, provide protection for your information. That being said, information security is also not a black art. There is no sorcery to implementing proper information security, and the concepts that are included in information security are not rocket science.
In many ways, information security is a mindset. It is a mindset of examining the threats and vulnerabilities of your organization and managing them appropriately. Unfortunately, the history of information security is full of "silver bullets” that did nothing more than sidetrack organizations from proper risk management. Some product vendors assisted in this by claiming that their product was the solution to the security problem (whatever that might be).
This module (and this book) will attempt to identify the myths about information security and show a more appropriate management strategy for organizations to follow.
1.1 Define Information Security
According to Merriam-Webster’s online dictionary (http://www.m-w.com/), information is defined as: Knowledge obtained from investigation, study, or instruction, intelligence, news, facts, data, a signal or character (as in a communication system or computer) representing data, something (as a message, experimental data, or a picture) which justifies change in a construct (as a plan or theory) that represents physical or mental experience or another construct. And security is defined as: Freedom from danger, safety; freedom from fear or anxiety.
If we put these two definitions together we can come up with a definition of information
security:
Measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities.
However, as defined, information security alone cannot guarantee protection. You could
build the biggest fortress in the world and someone could just come up with a bigger battering ram. Information security is the name given to the preventative steps you take to guard your information and your capabilities. You guard these things against threats, and you guard them from the exploitation of any vulnerability.
CAUTION
If you intend to work as a security administrator, consultant, or other position where security is the primary focus of your job, be careful not to fall into the trap of promising that sensitive information will not be compromised. This is perhaps the biggest failure in security today.
| 
