Information security
The security of records and information may be necessary in some situations to comply with statutes, regulations, or contract or licensing agreements. These legal remedies serve to protect the rights of the information owners by defining the obligations of those people in possession of certain records and information. Failure of an information owner to make a reasonable effort to protect the information will not only jeopardize the secrecy of the information, but may also result in a loss of rights to protection under the law (Andress 2003). The information owner may find itself unable to prosecute violations or to collect damages from those violations. A number of laws and regulations exist that protect the rights of information owners, define information security requirements, and spell out obligations of those in the possession of others' intellectual properties. The government and other regulatory bodies, such as those governing public utilities and financial institutions, require organizations under their jurisdiction to have a disaster recovery plan, which includes protection of records from disaster. The principle of attorney-client privilege, computer security statutes, and government regulations relate to the unauthorized disclosure of information. A comprehensive records and information security program that relies on a number of security measures is necessary to further reduce information security risks (Andress 2003).
Every business has detailed procedures to handle cash, operate vehicles, and manage other assets to prevent losses and liabilities. It only makes sense to protect its information assets in a similar manner. But because it is difficult to budget for invisible benefits, the need for information security is sometimes ignored until a loss occurs. Information security is a combination of loss prevention, preparedness, and recovery measures. But today's demands and capabilities for easy access to information frequently exacerbate security efforts. Security measures should be balanced with the need for a smooth flow of information in day-to-day duties, the relative value and sensitivity of the information, and the degree of risk involved. Common sense and good judgment are keys to making a program manageable (Broadhurst & Grabosky 2005).Since a business cannot reasonably secure all records; the truly valuable and sensitive ones must be identified and protected appropriately for as long as they remain sensitive and valuable. Clear and consistent policies and practices minimize information security risks. Management commitment is demonstrated through allocation of funds and staff to security measures, a written code of business conduct, a drug-free workplace, and policy enforcement. Information security practices must be documented in the event that a company needs to show proof of its efforts or to file charges against violators. Information security policy should focus on the nature of the information. Focusing solely on a computer information system or a particular office location will leave holes in security coverage. Information to be protected must be found in all of its various forms and in all of its numerous locations to determine how best to restrict access (Broadhurst & Grabosky 2005).
A communication gap has bedeviled relations between technologists and directors. Not speaking the same language, too often both groups fail to understand the needs of the other. The communication gap can only be overcome if technologists and security professionals express their concerns in business language and board members understand that information is not a niche activity to be left to the technologists. Unfortunately, Boards have in the past regarded information security, or IT security, as a low level technical issue. The criticality of information to contemporary enterprises has forced a change to this perception. In many companies, senior management has not demonstrated any commitment to Information Assurance (IA), and there is a tendency to see IA and information security as a technical issue to be delegated to the IT section by senior management (Anhal et al. 2001). Without management support, it is very hard for an Information Security Manager to implement effective IA strategies and measures on a company-wide basis. Operating without full Board support makes it difficult to effectively deal with the different dimensions of IA, such as personnel concerns, awareness, legal considerations, policy concerns. To engage senior management, it is necessary to demonstrate clearly that IA is essential to the organization. IA costs money. Therefore, organizations need to understand the business benefit if they are to commit to such a program. Incentives can be either positive or negative. In general, companies will do the minimum required in order to comply with negative incentives. To go beyond this, an organization needs to see real business benefits in doing so (Anhal et al. 2001). Information security makes sure that it protects data confidentiality, integrity and availability. For many information security professionals, accountability should be part of the information security principles. For them it should be a core principle of information security. Information security uses various methods or management systems to protect data from illegal use. One management system is the IS0/IEC 27001.
IS0/IEC 27001 and suitability of its implementation in Hong Kong
A business has a responsibility to its stakeholders to protect itself from undue harm caused by unlawful activities. Concerns about a damaged reputation when a reported crime hits the news may go by the wayside when stockholders or others clamor to hold someone accountable for criminal actions that cause severe harm to a business, its employees or customers, or the general public. Information security policies and procedures help protect an organization from information security crimes and crimes committed as a result of information security breaches. Documentation of those policies and practices helps preserve the right to prosecute criminal actions and attempt to obtain restitution (Barnes & Hiles 2001). To prepare for information security violations, an organization will determine procedures to be followed in the event of security breaches and any sanctions for violation of security procedures. When a violation occurs, an incident response team may determine what steps are necessary to minimize the damages and to prevent further violations of a similar nature. This team--including an investigator, legal advisor, computer specialist, and auditor--should be trained in company information policy and basic investigative techniques in order to be able to collect and properly handle evidence that will be necessary to file any charges or claims against the offending party (Barnes & Hiles 2001).
Information security should become a higher priority during such times to guard against threats from disgruntled employees. An organization must pay more attention to accurate, comprehensive record-keeping in order to be prepared for the greater potential for litigation or investigation resulting from the organizational changes. A comprehensive records and information management program integrates a number of elements, not all of which typically wind up as a records manager's direct responsibilities. However, each program element must be coordinated by the records management function and integrated to achieve a value greater than the sum of its parts (Wall 2001). When one or more components breaks down, a company may be vulnerable to information risks in a way similar to those experienced when there is no records management program at all. There is truly no right way to manage records and Information only a smart way that fits the individual organization. The extent and formality of program development and implementation will vary from one business to another. Safeguarding valuable and sensitive information contributes to a company's overall competitive advantage and protection. There are a number of potential threats to the security of records and information that must be assessed and responded to accordingly. Corporate policies and procedures will contribute to the proper protection of a company's records and information. Market forces will generate powerful influences in furtherance of electronic crime control. Given the immense fortunes which stand to be made by those who develop secure processes for electronic commerce, they hardly need any prompting from government. In some sectors, there are ample commercial incentives which can operate in furtherance of digital crime prevention (Wall 2001).
Information security promises to become one of the growth industries of this century. Some of the new developments in information security which have begun to emerge include technologies of authentication. The simple password for access to a computer system, vulnerable to theft or determination by other means, is being complemented or succeeded altogether by biometric authentication methods such as retinal imaging and voice or finger printing (Botterman, De Spiegeleire & Van Heuven 2003). Detection of unauthorized access to or use of computer systems can be facilitated by such technologies as artificial intelligence, which can identify anomalous patterns of use according to time of day or patterns of keystroke. Issues of objectionable content can be addressed at the individual level by blocking and filtering software, by which systems administrators can prevent employees' access to certain types of sites. Simple software can track websites visited and the amount of time spent at each site. Internet manager software enables a systems administrator to develop a custom blocking list that could deny access to pages containing certain specified keywords. Other software can develop customized access categories. When an employee clicks for a page, the software matches the user's ID with the content allowable for the assigned category, then either loads the requested page or advises the user that her request has been denied. The software logs denied requests for subsequent inspection by management. Some software packages can also measure and record the bandwidth consumed by Internet applications (Botterman, De Spiegeleire & Van Heuven 2003). The ISO/IEC 27001 standard specifies a management system that should bring information security under explicit management control. Its implementation is suitable in Hong Kong because it brings higher standards of protecting data. The implementation of ISO/IEC 27001 means that businesses in Hong Kong have certifications that they complied with the standards of information security. These businesses can be audited without much problem. Through the ISO/IEC 27001 standard, businesses in Hong Kong have organized information control systems.
References
Andress, A 2003, Surviving security: How to integrate people,
process, and technology, Auerbach, Boca Raton, FL.
Anhal, A, Daman, S, O'brien, K & Rathmell, A 2001, Engaging the
board: Corporate governance and information assurance, Rand,
Santa Monica, CA.
Barnes, P & Hiles, A (eds.) 2001, The definitive handbook of
business continuity management, John Wiley & Sons, New York.
Broadhurst, R & Grabosky, P (eds.) 2005, Cyber-crime: The
challenge in Asia, Hong Kong University Press, Hong Kong.
Botterman, M, De Spiegeleire, S & Van Heuven, M 2003, Managing
new issues: Cyber security in an era of technological change,
Rand, Santa Monica, CA.
Wall, DS (ed.) 2001, Crime and the internet, Routledge, New
York.
Credit:ivythesis.typepad.com
0 comments:
Post a Comment