The Information Security Management System

Information security is now too important to be left to the IT department. This is because information security is now a business-level issue:

Iformation is the lifeblood of any business today. Anything that is of value inside the organization will be of value to someone outside it. The board is responsible for ensuring that critical information, and the technology that houses and process it, are secure.

Legislation and regulation is a governance issue. In the UK, the TurnBull Report clearly identifies the need for boards to control risk to information and information systems. Data protection, privacy, computer misuse and other regulations, different in different jurisdictions, are a boardroom issue. Banks and financial sector organizations are subject to the requirements of the Bank of International Settlements ( BIS ) and the Basle 2 framework, whici includes information and IT risk.

As the intellectual capital value of “information economy” organizations increases, their commercial viability and profitability, as well as their share, increasingly depend on the security, confidentiality and integrity of their information and information assets.

Threats and Consequences

The one area in which businesses of all sizes today enjoy a level playing field is in information security: all businesses are subject to the world-class threats, all of them are potentially betrayed by world-class software vulnerabilities and all of them are subject to an increasingly comlex set of computer and privacy related regulations around the world.

While most organizations belive that their information systems are safe, the brutal reality is that they are not. Individual hardware, software, and vendor driven solutions are not information security systems. Not only is it extremely dangerous for an organization to operate in today’s world without a systematic, strategic approach to information security, such organizations have become threats to their more responsible brethren.

The extent and value of electronic data are continuing to grow exponentially. The exposure of businesses and individuals to its misappropriation or destruction is growing equally quickly. The growth in computer and information related compliance and regulatory requirements reflects the threats associated with digital data. Directories have clear compliance responsibilities that cannot be met by saying “ The head of IT was supposed to have dealt with that”.

Ultimately, consumer confidence in dealing across the web depends on how secure people belive their personal data to be. Data security, for this reason, matters to any business with any form of web strategy, from simple business t consumer or business to business propositions through Enterprise Resource Planning ( ERP ) systems to the use of extranets and e-mail. It matters, too any organization that depends on computers for its day-to-day existence or that may be subject to the provisions of Data Protection Act. Even the freedom of Information Act which ostensibly applies only to public sector organizations, raises confidentiality issue for any business that contracts with the public sector.

Newspapers and business magazines are full of stories about hackers, viruses and online fraud. These are just the public tip of the data insecurity iceberg. Little tends to be heard about businesses that suffer profit fluctuations through computer failure, or businesses that fail to survive a major interruption to their data and operating systems. Even less is heard about organizations whose core operations are compromised by the theft or loss of key business data; usually they just disappear quietly.