This is a guest post by Azmat Subhani Mughal, a Telecom Engineer by profession. He is dealing Internet/network security for companies in Pakistan and UK for last 14 years. He is with research panel at Microsoft, wrote FAQ’s on SSL for IIS and Defined technique for database remapping in Exchange server.
The world is changing every day, as the Information Technology is becoming backbone of all important institutions. Core of Information Technology is information data which is very critical for any organization, particularly when it comes to financial institutions, government organizations and data of defense related organizations. For this purpose – IT governance guidelines should be clearly defined by the Government.
Information-related legislation and regulation are increasingly important to all organizations. Data protection, privacy and breach regulations, computer misuse, and regulations around investigatory powers are part of a complex and often competing range of requirements to which should be addressed.
There is, increasingly, the need for an overarching information security framework that can provide context and coherence to compliance activity worldwide. The dramatic growth and scale of the ‘information economy’ have created new, global threats and vulnerabilities for all networked organizations.
The Organization for Economic Co-operation and Development (OECD), in its Principles of Corporate Governance (1999), defined ‘corporate governance’ as ‘the system by which business corporations are directed and controlled’.
Every country in the OECD is evolving – at a different speed – its own corporate governance regime, reflecting its own culture and requirements. Within its overall approach to corporate governance, every organization has to determine how it will govern the information, information assets and information technology on which its business model and business strategy rely.
This need has led to the emergence of IT governance as a specific – and pervasively important – component of an organization’s total governance posture. We define IT governance as ‘the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives’.
There are two fundamental components of effective management of risk in information and information technology. The first relates to an organization’s strategic deployment of information technology in order to achieve its business goals.
IT projects often represent significant investments of financial and managerial resources. Shareholders’ interest in the effectiveness of such deployment should be reflected in the transparency with which they are planned, managed and measured, and the way in which risks are assessed and controlled.
The second component is the way in which the risks associated with information assets themselves are managed. Clearly, well-managed information technology is a business enabler. All directors, executives and managers, at every level in any organization of any size, need to understand how to ensure that their investments in information and information technology enable the business.
Every deployment of information technology brings with it immediate risks to the organization, and therefore every executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.
Most organizations believe that their information systems are secure; the brutal reality is that they are not. Not only is it extremely difficult for an organization to operate in today’s world without effective information security, but poorly-secured organizations have become threats to their more responsible associates. The extent and value of electronic data are continuing to grow exponentially.
The exposure of businesses and individuals to data misappropriation (particularly in electronic format) or destruction is also growing very quickly. Ultimately, consumer confidence in dealing across the web depends on how secure consumers believe their personal data are.
Data security, for this reason, matters to any business with any form of web strategy (and any business without a web strategy is unlikely to be around in the long term), from simple business-to-consumer (b2c) or business-to-business (b2b) e-commerce propositions through enterprise resource planning (ERP) systems to the use of extranets, e-mail, instant messaging and Web 2.0 services.
It matters, too, to any organization that depends on computers for its day-to-day existence or that may be subject (as are all organizations) to the provisions of data protection legislation. Newspapers and business or sector magazines are full of stories about hackers, viruses, online fraud and loss of personal data. These are just the public tip of the data insecurity iceberg.
Little tends to be heard about businesses that suffer profit fluctuations through computer failure, or businesses that fail to survive a major interruption to their data and operating systems. Even less is heard about organizations whose core operations are compromised by the theft or loss of key business data, but that somehow survive it. Many people do, however, experience the frustration of trying to buy something online, only for the screen to give some variant of the message ‘server not available’.
Many more, working with computers in their daily lives, have experienced (once too) many times a local network failure or outage that interrupts their work. With the increasing pervasiveness of computers, and as hardware/software computing packages become ever more powerful and complex, so the opportunity for data and data systems to be compromised or corrupted (knowingly or otherwise) will increase.
Information security management systems in the vast majority of organizations are, in real terms, non-existent, and even where systems have been designed and implemented, they are usually inadequate. In simple terms, larger organizations tend to operate their security functions in vertically segregated silos with little or no coordination. This structural weakness means that most organizations have significant vulnerabilities that can be exploited deliberately or that simply open them up to disaster. For instance, while the corporate lawyers will tackle all the legal issues (non-disclosure agreements, patents, contracts, etc), they will have little involvement with the data security issues faced on the organizational perimeter.
On the organizational perimeter, those dealing with physical security concentrate almost exclusively on physical assets, such as gates or doors, security guards and burglar alarms. They have little appreciation of, or impact upon, the ‘cyber’ perimeter. The IT managers, responsible for the cyber perimeter, may be good at ensuring that everyone has a password and that there is internet connectivity, that the organization is able to respond to virus threats, and that key partners, customers and suppliers are able to deal electronically with the organization, but they almost universally lack the training, experience or exposure adequately to address the strategic threat to the information assets of the organization as a whole.
There are even organizations in which the IT managers set and implement security policy for the organization on the basis of their own risk assessment, past experiences and interests, with little regard for the real needs or strategic objectives of the organization.
Information security is a complex issue and deals with the confidentiality, integrity and availability of data. IT governance is even more complex, and in information security terms one has to think in terms of the whole enterprise, the entire organization, which includes all the possible combinations of physical and cyber assets, all the possible combinations of intranets, extranets and internets, and which might include an extended network of business partners, vendors, customers and others.
Information security is a key component of IT governance. As information technology and information itself become more and more the strategic enablers of organizational activity, so the effective management of both IT and information assets becomes a critical strategic concern for all organizations.
IT Security and governance is also important in current situation of war against terrorism. It is very important for organizations in Pakistan to ensure data/information system security Often – but not always – information security is in reality seen only as an issue for the IT department, which it clearly isn’t.
Good information security management is about organizations understanding the risks and threats they face and the vulnerabilities in their current computer processing facilities. It is about putting in place common-sense procedures to minimize the risks and about educating all the employees about their responsibilities.
Most importantly, it is about ensuring that the policy on information security management has the commitment of senior management. It is only when these procedural and management issues are addressed that organizations can decide on what security technologies they need.