All of us know what information is and how we use it and how we need it.
Wiki says – Information (shortened as info) is that which informs. In other words, it is the answer to a question of some kind. It is also related to data and knowledge, as data represents values attributed to parameters, and knowledge signifies understanding of real things or abstract concepts. As it regards data, the information’s existence is not necessarily coupled to an observer (it exists beyond an event horizon, for example), while in the case of knowledge, the information requires a cognitive observer.
For us to know let us understand a few terms.
What is information asset for any business?
Information asset of any business is a collection or body of knowledge and is considered as a single entity which also has a financial value attached to it. People of the organization can make use of the information asset in any form.
Business assets type could be classified into hardware asset, software asset, services assets, Information assets etc. Hardware Assets are Computers, switches, routers, Tables, Chairs or any other physical asset. Software Assets are Operating systems, application software, source code, documentation etc. Information Assets are Documentation, Presentation, Marketing materials
Services Assets are Internet Services, leased Line Services, Physical Security Services, Housekeeping Services etc.
Now when Information is an asset, its security becomes important.
What is information Security?
Information security deals with protecting the information assets from possible misuse, unauthorized modification, or destruction which may in turn affect the normal business service or overall business operation.
What are the objectives of information Security?
Information Security deals with safeguarding Confidentiality, Integrity and availability of information assets which are essential to run the normal business operation.
For example: To protect the confidentiality of the business plan and related documents, critical system passwords can be used to counter misuse by the competition.
To protect the integrity of the application or developed source code is to make sure that the application behaves in a manner it should and changes to it should be tracked
To protect the availability of the servers and Information system source code of application developed – which means that the information asset should be available at all access points
How do we achieve Confidentiality, Integrity and Availability of information asset?
Confidentiality, Integrity and Availability of information asset can be achieved by means of applying technical controls and operational controls
Technical controls are Firewalls, Disk Encryption Solution, Virtual Private Network etc.
Operational Controls are Physical access control, Approval Process before providing any system access, Data Backup Process, Background check process, Internal audits etc.
Now let us understand a few Information Security controls which will help us to minimize or mitigate the risks associated with information misuse or unauthorised access in order to keep our Information system clean and healthy by application of certain controls.
Inventory of authorized software and hardware – It is a very good practice to have a clear visibility of authorized software and hardware which are being used within our office premises. This is to counter piracy / legal implications due to various factors. It is everyone’s responsibility to ensure that the information system is free of pirated software, illegal content and malicious software.
Hardware / Software Hardening – Before deploying any hardware or software on to the network /or for production network – it is essential to fix all loose ends by means of hardening the system. Hardening include making the system up-to-date with the software patches, having the up-to-date antivirus system, changing all default username and passwords, disabling / uninstalling all services /features which are not required. Have complex passwords for all critical systems is a good way to restrict the access to those systems and make it hack-proof.
Controlled Access – Need based access to information system. This is applicable for both physical access and logical access.
Periodic Security Assessment – periodic information system health assessments are required which are similar in nature to our preventive health check-ups to ensure proactive assessment of information assets.
Backup & recovery – backing up all critical data and periodic recovery practice to ensure backed-up data really works in the event of actual system failure.
User Awareness – User awareness is one of key success factor for deployment of efficient information security practice. Every employee should know his access restrictions and authority in handling information assets and do’s and dont’s while handling the information asset of the organization.
To conclude, while the organization will apply all possible information security controls and measures the onus it with the individual itself to comply with the guidelines of Information security best practices. It is every individual employee’s responsibility to ensure information security and safety.
— Contributor – Atul