Achieving Information Security

Today it is an accepted fact that information is the lifeblood of any business enterprise - an extremely valuable asset which provides the basis for routine and critical business decisions; thus organizations continually strive to collect, maintain and analyze data in order to gain competitive advantage. This objective has been made easier with advances in technology which have provided the ability to collect, process, access and disseminate near infinite amounts of data in a variety of ways. Incidentally, these advances have also dramatically increased the risks associated with the security of corporate information. Examples abound in telecoms and other industries of information security breaches with significant impact on an organizations financials, regulatory compliance and brand image. One particularly common example but with potentially damaging results is the so-called pre-texting scam; which in 2006 resulted in the resignation of the Hewlett-Packard (HP ) board chairperson Patricia Dunn; along with several lawsuits against the concerned telecom service providers - with attendant consequences on their brand image. In this instance, the chairperson hired private investigators to discover the source of board decision leaks to the media and to achieve this objective, the investigators simply called the telecoms provider of each board member and under whatever guise or pretext got helpful but information security un-aware call center agents to provide call detail records for each board member. This information was then used to match called numbers to that of known members of the press and the rest today is history. Other examples of unauthorized service provisioning, prepaid balance alterations, unauthorized access to confidential information, abuse/misuse of private customer information etc are rampant; and it is for this reason that information security has become a major concern for most organizations from a business risk perspective your organization is no exception. So what exactly is information security and how can we implement a practical governance approach for managing information security. This article will attempt to answer these questions and provide a practical guide for implementing information security using the ISO 27000:2005 standard for information security management. Information security management refers to the definition and use of suitable set of controls to provide assurance for continued attainment of the business objectives associated with an organizations information assets. These objectives traditionally refer to confidentiality (information is accessible only to those with authorized access), integrity (the accuracy and completeness of information and processing methods are preserved) and availability (authorized access to information and associated assets as and when required). An additional information security objective non-repudiation, subsequently emerged as a result of advances in e-commerce; it refers to the assurance that parties to a transaction or communication cannot deny the authenticity of that transaction/communication after having originated or received same. Nonrepudiation is usually achieved via the use of email trackers, digital signatures/certificates etc. In order to define and implement a set of suitable controls for achieving these information security objectives, one must first have a clear understanding of the scope of information security and therein lies the primary challenge for most organizations due to the erroneous belief that information security is synonymous with IT security, thereby limiting its scope to a number of popular IT system controls e.g.

passwords, backups, antivirus controls etc. The reality however is that information securitys scope is a lot more broader and includes all forms of information regardless of the media (electronic, hardcopy, audio, video etc); the associated information assets (manual or electronic) used for storage, processing, transmission and retrieval of information, the supporting infrastructure (Processes, buildings etc); and of course the people who ultimately access and utilize this information. In the light of the above, it becomes apparent that information security management must be driven at enterprise level and thus must have top management commitment in order for it to be successful. Once this commitment is obtained and communicated as policy, the next step would be to clearly define the roles, responsibilities and accountabilities for information security across the organization. This should include authorization and approval processes for systems, people and infrastructure which have direct impact on corporate information the underlying principle being that approval/authorization is based on a need-to-know, need-to-use basis. With this structure in place, all information assets must now be identified and ownership assigned for the major information assets e.g. customer databases, tariff tables etc; thereby creating accountability and assuring continued protection for that asset. To further enhance the adequacy of protection assigned to each information asset, information and the supporting assets should be classified based on the need, priorities and degree of protection required. This can ideally be achieved by using an information classification system to define appropriate set of protection levels for all information and supporting infrastructure within the organization. These initial requirements are in line with the dictates of the first 3 sections of the ISO 27000:2005 standard for Information Security (i.e. Security Policy, Organization of information security and Information security assets). They provide the foundation for implementing a formal information security management system within the organization. The remaining 8 sections of the standard - though not discussed in this article must be built upon this foundation. To summarize, information security is of great importance to the organization and the absence of proper governance and control in this area can pose a major risk to the business, thus efforts must be taken to address this risk. Probability of success is largely dependent on the following - top (board level) management buy-in/support, existence of an operational information security management framework and effective internal communication/awareness of information security.

Daniel Udochi CISA, CISM