Professional Documents
Culture Documents
We are sometimes asked the most basic of information security question of all: "What is
information security?". This can actually be surprisingly difficult to define. However, the
introduction to the standard itself characterizes information security as the preservation of what
is often known as CIA:
A key aspect of Information Security is to preserve the confidentiality, integrity and availability of an
organisation's information. It is only with this information, that it can engage in commercial activities. Loss
of one or more of these attributes, can threaten the continued existence of even the largest corporate
entities.
Confidentiality
Ensuring that information is accessible only to those authorized to have access
Assurance that information is shared only among authorised persons or organisations. Breaches of
Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality
of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-
mailing or creating documents and other data etc. The classification of the information should determine
is confidentiality and hence the appropriate safeguards.
Integrity
Safeguarding the accuracy and completeness of information and processing methods
Assurance that the information is authentic and complete. Ensuring that information can be relied upon to
be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information
Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is
not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making
copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of
the information. Why? Because, by making one or more copies, the data is then at risk of change or
modification.
Availability
Ensuring that authorized users have access to information and associated assets when required.
With the exception of information that is already in the public domain, information should not be
divulged to anyone who is not authorized to access it or is not specifically authorized by the
information owner. Violations of the Information Classification Policy should result in
disciplinary proceedings against the individual.
It is also sensible to restrict the number of information classification levels in your organization
to a manageable number as having too many makes maintenance and compliance difficult. The
following five levels of classification cover most eventualities:
Top Secret:
Highly sensitive internal documents and data. For example, impending mergers or acquisitions,
investment strategies, plans or designs that could seriously damage the organization if lost or
made public. Information classified as Top Secret has very restricted distribution indeed, and
must be protected at all times. Security at this level is the highest possible.
Highly Confidential:
Information which is considered critical to the organization’s ongoing operations and could
seriously impede or disrupt them if made shared internally or made public. Such information
includes accounting information, business plans, sensitive information of customers of banks
(etc), patients' medical records, and similar highly sensitive data. Such information should not be
copied or removed from the organization’s operational control without specific authority.
Security should be very high.
Proprietary:
Procedures, project plans, operational work routines, designs and specifications that define the
way in which the organization operates. Such information is usually for proprietary use by
authorized personnel only. Security at this level is high.
Care should always be applied regarding a user's possible tendency to over classify their own
work. It can sometimes be erroneously surmised that the classification level can reflect directly
on the individual's own level of importance.
IT Security is the most important need of every organization. Especially effective Internet
Security has become an essential need for every small, medium or large enterprises using
information technology and other internet based services to perform their work easily and
effectively. The organization's dependency over Internet has increased the need for internet
security implementation and network monitoring inside the organization.
After the introduction of broadband internet, security risks have increased drastically. Nowadays
most of the Internet users (home users and professionals) are using broadband internet
connection. All companies from private and public sector, non-government organization,
educational institutes and financial institutions are dependent on Internet for information
exchange. Internet is also a major way of instant communication between two channels.
Therefore, chances of information leak, hacking or intrusion are more than earlier days due to
increasing dependency on internet
Security Vulnerability with the Internet connection or Intranet can result following major
security threats:
Above described threats are just glimpse of security threats caused by weak Internet Security
Mechanism. Information is an asset that, like other important business assets, has value to an
organization and consequently needs to be suitably protected. Failure in implementation of
proper internet security mechanism can ultimately have worse effect. An organization with no or
less effective internet security policy can have following ill effects:
To secure workplace from potential internet threats, an organization has to adopt proper internet
security policy, utilize best available security tools, and practice strict monitoring measures
(manual and automated both) inside office premises. With proper planning, technical expertise
and continuous efforts an organization can restrict most of the external threats related to Internet
Security.