Are you in control of your security?
In today's business environment, information systems enable business growth and critical operations within an organization by improving customer service, optimizing business transactions, managing logistics, and so forth. The data within these information systems is accessed by employees, contractors, vendors, and partners using multiple technologies across wide geographies. They do this not only for standard data processing, but increasingly to augment their decision making capabilities.
It is no surprise then, that cybercriminals have shifted their focus from physical assets to valuable information, such as trade secrets or product planning documents. As a result, organizations in the U.S, China, and India are spending close to $1 million per week on securing sensitive information hosted overseas. Evidence suggests that:
- More than 1.1 million records of New York State residents were impacted by over 400 data breaches in 2009 – (US Govt. Monitor)
- More than 342 million records containing sensitive personal information have been involved in data breaches from 2005 to 2009, according to reports by the Privacy Rights Clearinghouse – (US Govt. Monitor)
- Furthermore, there are additional risks that come with migrating to cloud computing and workers heavily adopting social computing.
Collaboration technologies and wide spread access to the internet have dramatically improved employee productivity by facilitating knowledge sharing and improving response time to customers. No organization can live without this anymore and this major productivity gain needs to be protected. So, how does an organization prevent their business interests from being undermined by internal or external forces?
What is at risk?
Security practitioners have to consider the following parameters to successfully achieve their information security goals:
- Confidentiality – It is about making information systems accessible to only authorized users, or restricting access to unauthorized users. The organization's security posture must also ensure that information is accessed only when needed.
- Integrity – Information integrity is the assurance that data being accessed is trustworthy and dependable. Organizations need to ensure that data has neither been tampered with, nor accidentally altered at any point in time.
- Availability – In security events ranging from normal to catastrophic, an organization's security systems must ensure that data continues to be available at the required level of performance. Lack of availability is loss of use.
- Auditability (Non-repudiation) – An organization must be able to ensure the traceability of every single transaction on the network and servers. In case of a dispute, it should be possible to work back through each step in the process to determine where the problem occurred and who was responsible.